user at host in AllowUsers
Allan Stokes
allan at stokes.ca
Fri Jun 15 00:42:54 EST 2001
> This has been a feature of SSH.COM's sshd for a long time, and this is
> what the book is probably referring to.
On page 6 the SSH book provides a secret decoder ring:
SSH - generic term
SSH-1 - the SSH protocol version 1
SSH-2 - the SSH protocol version 2
SSH1 - TY's ssh1
SSH2 - TY's ssh2
ssh - the client program (which is sometimes called ssh1 and ssh2)
OpenSSH - OpenSSH from the OpenBSD project
OpenSSH/1 - OpenSSH's behaviour wrt SSH-1
OpenSSH/2 - OpenSSH's behaviour wrt SSH-2
Section 5.5.2 gives examples of access control. I'll cite the examples
attributed to OpenSSH which include wildcards, grouped by scope, ignoring
examples which focus on Accept/Deny interaction.
# SSH1, SSH2, OpenSSH
AllowUsers ?mith
AllowUsers s*@*.edu # page 179
# SSH1, OpenBSD
AllowUsers smith jones cs*
AllowGroups ?aculty s*s
Hmm, not much meets the stated criteria.
I'll also quote one small passage:
<<<
Finally, here is a useful configuration example, expressed in SSH1 syntax:
AllowUsers walrus@* carpenter@* *@*.beach.net
>>>
We can cross out "probably referring" and replace it with "explicitly
states".
The SSH book explicitly documents that OpenSSH handles this syntax
(erroneously for the time being) with a tip of the hat about the utility of
this feature.
Allan
More information about the openssh-unix-dev
mailing list