more flexible AllowUsers/DenyUsers syntax
Darren Tucker
dtucker at zip.com.au
Wed Jun 29 10:43:25 EST 2005
Daniel Rogers wrote:
> I hope this is the right place for a feature request.
It is.
> I'd like to have more flexible AllowUsers/DenyUsers synax.
>
> I am in a situation, where I have machines connected to three networks
> (a private, high speed, a public, and a private vpn) and I'd like to
> enable root logins only on the private networks. Currently I see no
> way of doing this, because there is no way to specify a class that
> doesn't match. Something like:
> AllowUsers ~root@*
> AllowUsers root at 10.0.2.0/24
> AllowUsers root at 172.31.0.0/24
You can already negate a "subpattern" with "!" (hmm, this fact appears
to be missing from the man page), so you can probably do what you want
with something like (untested):
DenyUsers root@!10.0.2.*
DenyUsers root@!172.31.0.*
There are several components that could benefit from understanding CIDR
notation, see http://bugzilla.mindrot.org/show_bug.cgi?id=976
> Would be really really friggin' nice.
> Even nicer would be to have acl statements with sophistication akin to
> squids configuration.
>
> Futher, it would be really nice to be able to understand when openssh
> treats a pattern match like an ip or network and when openssh treats a
> pattern match like a host or domain name.
Right now it always checks both, IP address first.
> Are any features like this planned? Is what I am asking for reasonable?
Yes but not a high priority.
I'd like to see it incorporated into RequiredAuthentications (see
http://bugzilla.mindrot.org/show_bug.cgi?id=983 and previous discussion
on openssh-unix-dev) as an optional extension, ie
RequiredAuthentications method[,method] [user at host]
eg
RequiredAuthentications password,rsa,hostbased root at 10.0.0.0/8
RequiredAuthentications rsa root@*
PermitRootLogin would then become an alias for "RequiredAuthentications
[methods] root".
(The CIDR thing would probably be a simple project if someone wanted to
code it.)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list