AllowUsers Change

Ben Lindstrom mouring at etoh.eviladmin.org
Thu Feb 27 05:46:44 EST 2003 

No comments either means no one cares or no one has tested.   Let me know
quickly or I won't push for including it into 3.6.  We are getting close
to a tree lock people.

- Ben


On Sat, 15 Feb 2003, Ben Lindstrom wrote:

>
> Markus, ignore the other stuff I sent.. I need to go back to bed and stop
> trying to code.. <sigh>
>
> For everone else.. Will this make everyone happy?
>
> This does the follow.
>
> it will always honor AllowUsers.
>
> If there is no Allow/DenyGroups it stated they are not in allowUsers.  IF
> there are AllowDenyGroups it tries them.  And then stated they are not in
> either AllowUsers nor AllowGroups
>
> since PErmitRootLogin is not handled in auth.c:allowed_users() I will not
> try to add that logic.  I still believe it should be true.
>
> Diff against -ccurent BSD tree.
>
> - Ben
>
> Index: auth.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/auth.c,v
> retrieving revision 1.46
> diff -u -r1.46 auth.c
> --- auth.c	4 Nov 2002 10:07:53 -0000	1.46
> +++ auth.c	16 Feb 2003 03:27:42 -0000
> @@ -105,15 +105,16 @@
>  				return 0;
>  			}
>  	}
> -	/* Return false if AllowUsers isn't empty and user isn't listed there */
> +	/* Return true if person in AllowUsers, otherwise try the group test */
>  	if (options.num_allow_users > 0) {
>  		for (i = 0; i < options.num_allow_users; i++)
>  			if (match_user(pw->pw_name, hostname, ipaddr,
>  			    options.allow_users[i]))
> -				break;
> -		/* i < options.num_allow_users iff we break for loop */
> -		if (i >= options.num_allow_users) {
> -			log("User %.100s not allowed because not listed in AllowUsers",
> +				goto success;
> +
> +		if (options.num_deny_groups == 0 &&
> +		    options.num_allow_groups == 0) {
> +			log("User %.100s not allowed because not in AllowUsers",
>  			    pw->pw_name);
>  			return 0;
>  		}
> @@ -136,20 +137,28 @@
>  				return 0;
>  			}
>  		/*
> -		 * Return false if AllowGroups isn't empty and one of user's groups
> -		 * isn't listed there
> +		 * Return false if AllowGroups isn't empty and one of
> +		 * user's groups isn't listed there
>  		 */
>  		if (options.num_allow_groups > 0)
>  			if (!ga_match(options.allow_groups,
>  			    options.num_allow_groups)) {
>  				ga_free();
> -				log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
> +				if (options.num_deny_users > 0 ||
> +				    options.num_allow_users > 0) {
> +					log("User %.100s not allowed because not in AllowUsers nor user's groups in AllowGroups",
> +					    pw->pw_name);
> +					return 0;
> +				} else {
> +					log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
>  				    pw->pw_name);
> -				return 0;
> +					return 0;
> +				}
>  			}
>  		ga_free();
>  	}
>  	/* We found no reason not to let this user try to log on... */
> +success:
>  	return 1;
>  }
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list