((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))

James Dennis jdennis at law.harvard.edu
Sat Feb 15 09:04:08 EST 2003 

Yes, agreed. Thanks Ben. If someone is in a group that is denyed, but 
should be allowed access to ssh, unix groups should handle that. Remove 
the user from the group and such.
It's been a long day and I obviously went off on a tangent, but you've 
put words to what my last email was trying to say much better than I did.
-James

Ben Lindstrom wrote:
> I think we are making this more complex than it really is.  The only valid
> rules should be as such
> 
> If PermitRootLogin then
> 	goto Accepted # Damn it, if I state root is allowed, it damn well
> 			better be honored.
> 
> if DenyUser then
> 	goto Reject  # don't pass go don't collect 200
> 
> if AllowUser then
> 	goto Accepted # If we state they are allowed, honor it
> 
> If DenyGroup then
> 	goto Reject # If they are not allowed by AllowUser they are never
> 
> If AllowGroup then
> 	goto Accepted # We are stated they are allowed directly
> 
> if AllowUser > 0 || AllowGroup > 0 then
> 	goto Reject  # We have either allowed groups or allowed users, and
> 			they didn't pass.
> 
> Accepted:
> 	...
> 	return;
> 
> Rejected:
> 	...
> 	return;
> 
> There is no other sane way.. No stupid order issues (which sshd_config has
> none to start with).  And allows for 'Reject by defualt, define allowed'
> view.
> 
> Plus it allows for the other way around.  'Allow by default, reject if
> not'
> 
> So it makes everyone happy.
> 
> The way it currently stands I doubt anyone is using allow{group,user}
> at this moment.  Besides, personally if I say Yes I want root for any
> reason to be allowed.  It damn well better honor it.  It implies
> 'AllowUser'.
> 
> Deny{User,Group} needs to be honored first because I think anyone stupid
> enough to do:
> 
> AllowUser Foo
> DenyUser Foo
> 
> should be shot.
> 
> I can see someone going.. "But this breaks DenyUser root".  Well tought,
> if you don't want root, use the right option.
> 
> - Ben
> 
> 
> On Fri, 14 Feb 2003, James Dennis wrote:
> 
> 
>>I've thought about this a bit more and have changed my mind. I think
>>everything should just be kept very simple to avoid apache-like
>>configuration madness. Maybe Thomas's idea?
>>
>>If user is in denyusers
>>	deny
>>if user is in allowusers
>>	allow
>>
>>report error if user is in both
>>
>>if user's group is in denygroups
>>	check status of either/and flag
>>	either and is in allowusers
>>		allow
>>	and
>>		deny
>>if user's group is in allowgroups
>>	check status of either/and flag
>>	either
>>		allow
>>	and
>>		is in allowusers
>>			allow
>>		else
>>			deny
>>
>>report error if group is in both
>>
>>--
>>James Dennis
>>Harvard Law School
>>
>>"Not everything that counts can be counted,
>>and not everything that can be counted counts."
>>
>>_______________________________________________
>>openssh-unix-dev mailing list
>>openssh-unix-dev at mindrot.org
>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 
James Dennis
Harvard Law School

"Not everything that counts can be counted,
and not everything that can be counted counts."

More information about the openssh-unix-dev mailing list