[Bug 1690] AllowUsers and DenyGroups directives are not parsed in the order specified

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 4 13:10:58 EST 2010


https://bugzilla.mindrot.org/show_bug.cgi?id=1690

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2010-01-04 13:10:57 EST ---
The problem is that the way these things work is that they only ever
provide a way to deny a login, not allow it.  That is to say if that if
a given login would be denied by any one of the directives then it'll
be denied.  It's neither first-match nor last-match.

Changing this would require changing the semantics of the directives,
which would change the behaviour of existing configurations.  We could
maybe do this, but it would need to be well documented in the release
notes, and it's almost inevitable that someone somewhere wants the
current behaviour.

Instead, I think we should (a) improve the documentation, and (b) add a
new directive that can work with the Match directive which would allow
the rules to be expressed as first-match in whichever order makes sense
for your purpose.  You would be able to express your rules as something
like:

Match User joe
  AllowLogin yes

Match Group joe
  AllowLogin no

Match rules are processed first-match per directive, so this should do
what you want, and also allows easier use of Address rules and
suchlike.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list