AllowUsers and AllogGroups problem...

Vesa Jääskeläinen jaaskela at tietomyrsky.fi
Tue Aug 29 20:05:29 EST 2000 

I just downloaded newest snapshot and noticed that problem is still
present. I am not sure why I didn't get any reply about my previous
message, probably it wasn't too clear so I try now again. And I noticed
one problem with previous patch so here is fixed and far more tested
version of patch.

So problem is hopefully best described by this way...

When admin wants to allow invidual user to access ssh and add user in
sshd_config like this:

AllowUsers testuser

In sshd_config there is also following line:

AllowGroups admins ssh

In this case testuser is not member of admins or ssh.

Now when testuser tries to connect it just enters to fake login loop and
therefor wont allow user to login.

Current code doest checking if following order:
- checks is user deny list defined if so then check is user in deny list,
  if so fail
- checks is user allow list defined if so then check is user in allow
  list, if not fail
- checks is users group list defined if so then check is users group
  listed in deny list, if so fail
- checks is users group list defined if so then check is users group
  listed in allow list, if not fail

and in this case user was in user allow list but it's group wasn't in
group listed in group allow list so he was denied to login.

this patch changes it to following:
- check is user deny list define if so then check is user in deny list,
  if so fail
- check is user allow list defined if so then check is user in allow list,
  if not then if group allow list isn't defined then fail
- check is users group in deny list, if so fail
- check is user allow list defined if not then if user wasn't in
  allow list then check against users group list if group isn't there
  then fail

One problem is that if user is listed in allow users list and his group is
listed in deny group list he can't login. I am not sure how you ment it to
work so I didn't include it in this patch. But it is very easy to
implement if wanted so.
-------------- next part --------------
diff openssh-SNAP-20000829/auth.c openssh/auth.c
53a54
> 	int user_in_allow_list = 0;
109a111,112
> 			{
> 				user_in_allow_list = 1;
111,112c114,120
< 		/* i < options.num_allow_users iff we break for loop */
< 		if (i >= options.num_allow_users)
---
> 			}
> 		/* i < options.num_allow_users if we break for loop 
> 		   to allow allow users and allow groups colive we can't
> 		   quit with error message when user wasn't listed in
> 		   allow users list
> 		 */
> 		if (i >= options.num_allow_users && !options.num_allow_groups)
131a140,143
> 		 *
> 		 * If user was listed in AllowUsers and not mentioned on
> 		 * deny lists then we do not need to check against
> 		 * AllowGroups definition
133c145
< 		if (options.num_allow_groups > 0) {
---
> 		if (options.num_allow_groups > 0 && !user_in_allow_list) {

More information about the openssh-unix-dev mailing list