AllowUsers Change

Ben Lindstrom mouring at etoh.eviladmin.org
Sun Feb 16 14:31:36 EST 2003


Markus, ignore the other stuff I sent.. I need to go back to bed and stop
trying to code.. <sigh>

For everone else.. Will this make everyone happy?

This does the follow.

it will always honor AllowUsers.

If there is no Allow/DenyGroups it stated they are not in allowUsers.  IF
there are AllowDenyGroups it tries them.  And then stated they are not in
either AllowUsers nor AllowGroups

since PErmitRootLogin is not handled in auth.c:allowed_users() I will not
try to add that logic.  I still believe it should be true.

Diff against -ccurent BSD tree.

- Ben

Index: auth.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.46
diff -u -r1.46 auth.c
--- auth.c	4 Nov 2002 10:07:53 -0000	1.46
+++ auth.c	16 Feb 2003 03:27:42 -0000
@@ -105,15 +105,16 @@
 				return 0;
 			}
 	}
-	/* Return false if AllowUsers isn't empty and user isn't listed there */
+	/* Return true if person in AllowUsers, otherwise try the group test */
 	if (options.num_allow_users > 0) {
 		for (i = 0; i < options.num_allow_users; i++)
 			if (match_user(pw->pw_name, hostname, ipaddr,
 			    options.allow_users[i]))
-				break;
-		/* i < options.num_allow_users iff we break for loop */
-		if (i >= options.num_allow_users) {
-			log("User %.100s not allowed because not listed in AllowUsers",
+				goto success;
+
+		if (options.num_deny_groups == 0 &&
+		    options.num_allow_groups == 0) {
+			log("User %.100s not allowed because not in AllowUsers",
 			    pw->pw_name);
 			return 0;
 		}
@@ -136,20 +137,28 @@
 				return 0;
 			}
 		/*
-		 * Return false if AllowGroups isn't empty and one of user's groups
-		 * isn't listed there
+		 * Return false if AllowGroups isn't empty and one of
+		 * user's groups isn't listed there
 		 */
 		if (options.num_allow_groups > 0)
 			if (!ga_match(options.allow_groups,
 			    options.num_allow_groups)) {
 				ga_free();
-				log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
+				if (options.num_deny_users > 0 ||
+				    options.num_allow_users > 0) {
+					log("User %.100s not allowed because not in AllowUsers nor user's groups in AllowGroups",
+					    pw->pw_name);
+					return 0;
+				} else {
+					log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
 				    pw->pw_name);
-				return 0;
+					return 0;
+				}
 			}
 		ga_free();
 	}
 	/* We found no reason not to let this user try to log on... */
+success:
 	return 1;
 }





More information about the openssh-unix-dev mailing list