AllowUsers Change

James Dennis jdennis at law.harvard.edu
Thu Feb 27 06:38:38 EST 2003 

Hey Ben,

The patch appears to be working just fine. I would very much like to see 
it in 3.6 if possible, as I'd like to use AllowGroups ftponly instead of 
AllowUsers [250 usernames]...

Thanks!

-James

PS. My apologies for not responding as I'm the one who brought this up 
originally, things have quite busy lately.

Ben Lindstrom wrote:
> No comments either means no one cares or no one has tested.   Let me know
> quickly or I won't push for including it into 3.6.  We are getting close
> to a tree lock people.
> 
> - Ben
> 
> 
> On Sat, 15 Feb 2003, Ben Lindstrom wrote:
> 
> 
>>Markus, ignore the other stuff I sent.. I need to go back to bed and stop
>>trying to code.. <sigh>
>>
>>For everone else.. Will this make everyone happy?
>>
>>This does the follow.
>>
>>it will always honor AllowUsers.
>>
>>If there is no Allow/DenyGroups it stated they are not in allowUsers.  IF
>>there are AllowDenyGroups it tries them.  And then stated they are not in
>>either AllowUsers nor AllowGroups
>>
>>since PErmitRootLogin is not handled in auth.c:allowed_users() I will not
>>try to add that logic.  I still believe it should be true.
>>
>>Diff against -ccurent BSD tree.
>>
>>- Ben
>>
>>Index: auth.c
>>===================================================================
>>RCS file: /cvs/src/usr.bin/ssh/auth.c,v
>>retrieving revision 1.46
>>diff -u -r1.46 auth.c
>>--- auth.c	4 Nov 2002 10:07:53 -0000	1.46
>>+++ auth.c	16 Feb 2003 03:27:42 -0000
>>@@ -105,15 +105,16 @@
>> 				return 0;
>> 			}
>> 	}
>>-	/* Return false if AllowUsers isn't empty and user isn't listed there */
>>+	/* Return true if person in AllowUsers, otherwise try the group test */
>> 	if (options.num_allow_users > 0) {
>> 		for (i = 0; i < options.num_allow_users; i++)
>> 			if (match_user(pw->pw_name, hostname, ipaddr,
>> 			    options.allow_users[i]))
>>-				break;
>>-		/* i < options.num_allow_users iff we break for loop */
>>-		if (i >= options.num_allow_users) {
>>-			log("User %.100s not allowed because not listed in AllowUsers",
>>+				goto success;
>>+
>>+		if (options.num_deny_groups == 0 &&
>>+		    options.num_allow_groups == 0) {
>>+			log("User %.100s not allowed because not in AllowUsers",
>> 			    pw->pw_name);
>> 			return 0;
>> 		}
>>@@ -136,20 +137,28 @@
>> 				return 0;
>> 			}
>> 		/*
>>-		 * Return false if AllowGroups isn't empty and one of user's groups
>>-		 * isn't listed there
>>+		 * Return false if AllowGroups isn't empty and one of
>>+		 * user's groups isn't listed there
>> 		 */
>> 		if (options.num_allow_groups > 0)
>> 			if (!ga_match(options.allow_groups,
>> 			    options.num_allow_groups)) {
>> 				ga_free();
>>-				log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
>>+				if (options.num_deny_users > 0 ||
>>+				    options.num_allow_users > 0) {
>>+					log("User %.100s not allowed because not in AllowUsers nor user's groups in AllowGroups",
>>+					    pw->pw_name);
>>+					return 0;
>>+				} else {
>>+					log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
>> 				    pw->pw_name);
>>-				return 0;
>>+					return 0;
>>+				}
>> 			}
>> 		ga_free();
>> 	}
>> 	/* We found no reason not to let this user try to log on... */
>>+success:
>> 	return 1;
>> }
>>
>>
>>_______________________________________________
>>openssh-unix-dev mailing list
>>openssh-unix-dev at mindrot.org
>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 
James Dennis
Harvard Law School

"Not everything that counts can be counted,
and not everything that can be counted counts."

More information about the openssh-unix-dev mailing list