((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
Jim Knoble
jmknoble at pobox.com
Sat Feb 15 09:41:26 EST 2003
Circa 2003-02-14 15:48:30 -0600 dixit Ben Lindstrom:
: I think we are making this more complex than it really is. The only valid
: rules should be as such
:
: If PermitRootLogin then
: goto Accepted # Damn it, if I state root is allowed, it damn well
: better be honored.
->else if PermitRootLogin is "no" and user is root then
goto Rejected
: if DenyUser then
: goto Reject # don't pass go don't collect 200
:
: if AllowUser then
: goto Accepted # If we state they are allowed, honor it
:
: If DenyGroup then
: goto Reject # If they are not allowed by AllowUser they are never
:
: If AllowGroup then
: goto Accepted # We are stated they are allowed directly
:
: if AllowUser > 0 || AllowGroup > 0 then
: goto Reject # We have either allowed groups or allowed users, and
: they didn't pass.
:
: Accepted:
: ...
: return;
:
: Rejected:
: ...
: return;
:
: There is no other sane way.. No stupid order issues (which sshd_config has
: none to start with). And allows for 'Reject by defualt, define allowed'
: view.
Looks good to me, with the additional test i inserted above (implied by
your description, but best to be explicit here).
--
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
Stop the War on Freedom ... Start the War on Poverty!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 256 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030214/01128439/attachment.bin
More information about the openssh-unix-dev
mailing list