AllowUsers Change
James Dennis
jdennis at law.harvard.edu
Thu Feb 27 06:51:58 EST 2003
Just in case anyone wants Ben's patch for OpenSSH's 3.5 release instead
of current, here it is.
diff -uNr openssh-3.5p1/auth.c openssh-3.5p1-allowfix/auth.c
--- openssh-3.5p1/auth.c Sat Sep 21 11:26:53 2002
+++ openssh-3.5p1-allowfix/auth.c Wed Feb 26 14:28:00 2003
@@ -156,15 +156,16 @@
return 0;
}
}
- /* Return false if AllowUsers isn't empty and user isn't listed there */
+ /* Return true if person in AllowUsers, otherwise try the group test */
if (options.num_allow_users > 0) {
for (i = 0; i < options.num_allow_users; i++)
if (match_user(pw->pw_name, hostname, ipaddr,
options.allow_users[i]))
- break;
- /* i < options.num_allow_users iff we break for loop */
- if (i >= options.num_allow_users) {
- log("User %.100s not allowed because not listed in AllowUsers",
+ goto success;
+
+ if (options.num_deny_groups == 0 &&
+ options.num_allow_groups == 0) {
+ log("User %.100s not allowed because not in AllowUsers",
pw->pw_name);
return 0;
}
@@ -194,9 +195,16 @@
if (!ga_match(options.allow_groups,
options.num_allow_groups)) {
ga_free();
- log("User %.100s not allowed because none of user's groups are
listed in AllowGroups",
- pw->pw_name);
- return 0;
+ if (options.num_deny_users > 0 ||
+ options.num_allow_users > 0) {
+ log("User %.100s not allowed because not in AllowUsers nor user's
groups in AllowGroups",
+ pw->pw_name);
+ return 0;
+ } else {
+ log("User %.100s not allow because none of user's groups are
listed in AllowGroups",
+ pw->pw_name);
+ return 0;
+ }
}
ga_free();
}
@@ -219,6 +227,7 @@
#endif /* WITH_AIXAUTHENTICATE */
/* We found no reason not to let this user try to log on... */
+success:
return 1;
}
--
James Dennis
Harvard Law School
"Not everything that counts can be counted,
and not everything that can be counted counts."
More information about the openssh-unix-dev
mailing list