((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))

James Dennis jdennis at law.harvard.edu
Sat Feb 15 05:12:41 EST 2003 

Kevin,

I think the problem is the last line.

 >>  Condition                                 blah    haha    root
 >>  AllowGroups users, AllowUsers root    =>  no      no      no

blah, haha, and root should all be able to login, but his table shows 
that they actually cannot. I'm pretty sure thats not intended by your 
description.

 >   if user in denyusers
 >      deny
Shouldn't affect any of them.

 >   if #allowusers > 0 and user not in allowusers
 >      deny
root is in AllowUsers so this shouldn't deny (Unless PermitRootLogin no?)

 >   if user group in deny groups
 >      deny
Again, no deny directives so this shouldn't affect anyone.

 >   if #allowgroups > 0 and user group not in allowgroups
 >      deny
blah and haha's group is in allow group so they shouldn't be denied.

 >
 >   permit
They should be, but aren't.

-James



Kevin Steves wrote:
> On Wed, Feb 12, 2003 at 04:12:32PM -0500, Jim Knoble wrote:
> 
>>with the following users:
>>
>>  # useradd -m -G users blah
>>  # useradd -m -G users haha
>>  # egrep '(blah|haha)' /etc/passwd /etc/group
>>  /etc/passwd:blah:*:1021:1021::/home/blah:/bin/ksh
>>  /etc/passwd:haha:*:1022:1022::/home/haha:/bin/ksh
>>  /etc/group:users:*:10:,blah,haha
>>  /etc/group:blah:*:1019:blah
>>  /etc/group:haha:*:1020:haha
>>  # 
>>
>>gives the following results:
>>
>>                                            Users successfully log in:
>>  Condition                                 blah    haha    root
>>
>>  no Allow*                             =>  yes     yes     yes
>>  AllowUsers blah                       =>  yes     no      no
>>  AllowUsers haha                       =>  no      yes     no
>>  AllowUsers root                       =>  no      no      yes
>>  AllowGroups users                     =>  yes     yes     no
>>  AllowGroups users, AllowUsers root    =>  no      no      no
>>
>>The last one is what's surprising.  Here's what the sshd log has to say
>>(at LogLevel VERBOSE, with timestamps removed to conserve space):
> 
> 
> those are correct results for the current implementation, which is the
> same behaviour as 1.2.X but we added support for supplementary groups.
> 
> we currently do:
> 
>   if user in denyusers
>      deny
>   if #allowusers > 0 and user not in allowusers
>      deny
>   if user group in deny groups
>      deny
>   if #allowgroups > 0 and user group not in allowgroups
>      deny
> 
>   permit
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 
James Dennis
Harvard Law School

"Not everything that counts can be counted,
and not everything that can be counted counts."

More information about the openssh-unix-dev mailing list