[Bug 1546] New: sshd_config DenyUsers does not recognize negated host properly

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Dec 19 07:54:00 EST 2008


https://bugzilla.mindrot.org/show_bug.cgi?id=1546

           Summary: sshd_config DenyUsers does not recognize negated host
                    properly
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P4
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: eric.sisson at gmail.com


Created an attachment (id=1590)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1590)
diff output for file match.c

The following specification in sshd_config

  DenyUsers oracle@!localhost.localdomain

intended to allow user oracle to connect only from the localhost (that
is, from another user already logged into the host) still allows user
oracle to connect from remote hosts.

I traced this to the fact that function ``match_pattern_list'' in file
``match.c'' lacks code to handle this case. The attachment contains a
diff to add the missing code in the form of an ``else'' branch to an
``if'' block near the end of the major ``for'' loop in the function. 
Although the diff is relative to the 5.1p1 version, I encountered the
problem working with the 3.9p1 version; the code is consistent in these
versions.

The meaning of the additional code is the following:

- If a string fails to match the subpattern of the configuration, then
execution will flow into ``else'' branch.

- Normally, the failure of a match is a failure (``got_positive''
retains its initialized value of zero).

- However, where a failure is desired (the ``!'' in the specification
subpattern), then the occurrence of a failure is a ``success'', so
``got_positive'' should be set to one.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list