((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))

James Dennis jdennis at law.harvard.edu
Sat Feb 15 07:56:37 EST 2003


I've thought about this a bit more and have changed my mind. I think 
everything should just be kept very simple to avoid apache-like 
configuration madness. Maybe Thomas's idea?

If user is in denyusers
	deny
if user is in allowusers
	allow

report error if user is in both

if user's group is in denygroups
	check status of either/and flag
	either and is in allowusers
		allow
	and
		deny
if user's group is in allowgroups
	check status of either/and flag
	either
		allow
	and
		is in allowusers
			allow
		else
			deny

report error if group is in both

-- 
James Dennis
Harvard Law School

"Not everything that counts can be counted,
and not everything that can be counted counts."




More information about the openssh-unix-dev mailing list