Possible Allow* bug?

James Dennis jdennis at law.harvard.edu
Tue Feb 11 06:06:28 EST 2003 

Hey,

After discussing the limit of MAX_ALLOW_USERS I've been trying to use 
AllowGroups instead. In the config file I have the AllowUsers lines 
before the AllowGroups lines (I have tried both ways) and it appears 
that the presence on the AllowGroups directives seems to blow away any 
Allow* directives I have set. I'm not sure how to check further for bugs 
so I figured I'd contact you guys.

When I simply comment out the AllowGroups line, the AllowUsers 
directives work fine, when I uncomment it, no access is granted to the 
system, period.

Bug?

In servconf.c I added debug lines in each directives case to print the 
amount of users found and when I start sshd, it prints the correct numbers.

[username at hostname /home/username/OpenSSH/openssh-3.5p1]$ ./sshd -d -d 
-d -p 8088
debug3: Found 5 AllowUsers
debug3: Found 11 AllowUsers
debug3: Found 12 AllowUsers
debug3: Found 14 AllowUsers
debug3: Found 16 AllowUsers
debug3: Found 17 AllowUsers
debug3: Found 29 AllowUsers
debug3: Found 1 AllowGroups
debug1: sshd version OpenSSH_3.5p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /usr/local/openssh/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /usr/local/openssh/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 8088 on 0.0.0.0.
Server listening on 0.0.0.0 port 8088.

The diff, in case you want to see what I actually did:
-3.5p1-chroot/servconf.c 

--- openssh-3.5p1/servconf.c    Thu Sep  5 00:35:15 2002
+++ openssh-3.5p1-chroot/servconf.c     Mon Feb 10 13:52:34 2003
@@ -775,6 +775,7 @@
                         options->allow_users[options->num_allow_users++] =
                             xstrdup(arg);
                 }
+               debug3("Found %d AllowUsers", options->num_allow_users);
                 break;

         case sDenyUsers:
@@ -795,6 +796,7 @@
 
options->allow_groups[options->num_allow_groups++] =
                             xstrdup(arg);
                 }
+               debug3("Found %d AllowGroups", options->num_allow_groups);
                 break;

         case sDenyGroups:


-- 
James Dennis
Harvard Law School

"Not everything that counts can be counted,
and not everything that can be counted counts."

More information about the openssh-unix-dev mailing list