more flexible AllowUsers/DenyUsers syntax

Daniel Rogers drogers at ncmir.ucsd.edu
Wed Jun 29 03:42:19 EST 2005


Hi,

I hope this is the right place for a feature request.
I'd like to have more flexible AllowUsers/DenyUsers synax.

I am in a situation, where I have machines connected to three  
networks (a private, high speed, a public, and a private vpn) and I'd  
like to enable root logins only on the private networks.  Currently I  
see no way of doing this, because there is no way to specify a class  
that doesn't match.  Something like:
AllowUsers ~root@*
AllowUsers root at 10.0.2.0/24
AllowUsers root at 172.31.0.0/24
Would be really really friggin' nice.
Even nicer would be to have acl statements with sophistication akin  
to squids configuration.

Futher, it would be really nice to be able to understand when openssh  
treats a pattern match like an ip or network and when openssh treats  
a pattern match like a host or domain name.

Are any features like this planned?  Is what I am asking for reasonable?

--
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050628/d4dd1a54/attachment.bin 


More information about the openssh-unix-dev mailing list