AllowUsers not working under certain conditions

Donald Fraser demolish at kiwi-fraser.net
Thu Nov 17 23:50:53 EST 2005 

Hello,
I've trawled archives looking for changes in the "AllowUsers" option,
manuals, changes log, reported bugs and to my surprise I can't find anything
or anyone that has reported the issues that I am experiencing.

I am using the default installation sshd_config file as supplied by Redhat
and the only options I have changed are:
ListenAddress
AllowUsers

The first problem exists on both of the following versions oppenssh-3.5p1
and oppenssh-3.9p1
1) I have on one of our servers the line in the sshd_config file:
AllowUsers root at 192.168.100.* root at 192.168.102.*

The server that runs the sshd only allows ssh clients to connect from the
sub-net 192.168.100.0/24.
Where as one would expect it to allow connections from both the listed
sub-nets 192.168.100.0/24 and 192.168.102.0/24.
Basically if I try connecting from the 192.168.102.0/24 sub-net I get the
"User root not allowed because not listed in AllowUsers" error.

The weird thing here is that if I change the option:

ListenAddress ::
to
ListenAddress my-server

then the problem goes away.
There appears to be nothing in the documentation that suggests the
ListenAddress setting effects the AllowUsers setting.

The second problem is not present on the oppenssh-3.5p1-6 but is present on
the later version oppenssh-3.9p1-8.
The problem has arisen after upgrading from Redhat Linux 9
(oppenssh-3.5p1-6) to Redhat Enterprise Linux 4 (oppenssh-3.9p1-8.RHEL4.1)
2) I have on one of our servers the line in the sshd_config file:
AllowUsers root at 192.168.100.12 root@*.mycompany.com donald at 192.168.100.99
donald@*mydomain.com

User root can log on from the specified IP address or any domain which
matches the pattern *.mycompany.com. Note that the *.mycompany.com domains
are all machines on a local sub-net with their domain names specified in the
/etc/hosts file.

The user donald can connect from the local sub-net specified IP address but
cannot connect from an external domain that matches the pattern
*mydomain.com. The only way I can get the user donald to connect on the
external domain is by putting the exact IP address in the AllowUsers option,
which is not particularly useful as it is a dynamically changing IP address.
As I have already stated, the exact same AllowUsers option used to work fine
under the older (3.5p1) version of openssh.
I tried setting the option UseDNS to no but that makes no difference.

Can somebody tell me if these are known problems or simply features (that's
the way its supposed to work)?
If they are known or new problems are they likely to be fixed in the latest
version?

Regards
Donald Fraser

Ps I particularly like the idea put forward by Patrick Gosling on 2005-01-20
10:27:17 titled:  AllowUsers - proposal for useful variations on the theme

More information about the openssh-unix-dev mailing list