((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
Kevin Steves
stevesk at pobox.com
Sat Feb 15 04:36:10 EST 2003
On Wed, Feb 12, 2003 at 04:12:32PM -0500, Jim Knoble wrote:
> with the following users:
>
> # useradd -m -G users blah
> # useradd -m -G users haha
> # egrep '(blah|haha)' /etc/passwd /etc/group
> /etc/passwd:blah:*:1021:1021::/home/blah:/bin/ksh
> /etc/passwd:haha:*:1022:1022::/home/haha:/bin/ksh
> /etc/group:users:*:10:,blah,haha
> /etc/group:blah:*:1019:blah
> /etc/group:haha:*:1020:haha
> #
>
> gives the following results:
>
> Users successfully log in:
> Condition blah haha root
>
> no Allow* => yes yes yes
> AllowUsers blah => yes no no
> AllowUsers haha => no yes no
> AllowUsers root => no no yes
> AllowGroups users => yes yes no
> AllowGroups users, AllowUsers root => no no no
>
> The last one is what's surprising. Here's what the sshd log has to say
> (at LogLevel VERBOSE, with timestamps removed to conserve space):
those are correct results for the current implementation, which is the
same behaviour as 1.2.X but we added support for supplementary groups.
we currently do:
if user in denyusers
deny
if #allowusers > 0 and user not in allowusers
deny
if user group in deny groups
deny
if #allowgroups > 0 and user group not in allowgroups
deny
permit
More information about the openssh-unix-dev
mailing list