Request change to file match.c, function match_pattern_list

Eric Sisson ems at mdacc.tmc.edu
Wed Dec 17 06:48:36 EST 2008 

Greetings,

This request is in the grey area between a bug report and an  
enhancement request.



Request
-------

Please apply the following diff (or something functionally similar) to  
file ``match.c'' in OpenSSH-5.1p1:

161a162,164
 > 		} else {
 > 			if (negated)
 > 				got_positive = 1;	/* Negative match, negated = Positive */

In case the lines above wrapped in the email transmission, the diff is  
attached as a .gz file.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: match.c.diff.gz
Type: application/x-gzip
Size: 104 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081216/fe35d5b5/attachment.bin 
-------------- next part --------------





Justification
-------------

On a system running Red Hat Enterprise Linux 4, I wanted to use a  
configuration of the following form in sshd_config:

   DenyUsers oracle@!localhost.localdomain

that would prevent user ``oracle'' from logging into the host from any  
host except the host itself (localhost).  Rephrased, I want to allow  
logins to user ``oracle'' only by users who already are logged into  
the same host that has user ``oracle''.

The above construct fails in OpenSSH, and I traced the failure to the  
absence of code handling this case in an ``if'' statement (that checks  
the result of function ``match_pattern'') near the end of the main  
``for'' loop in function ``match_pattern_list'' in file ``match.c''.   
The diff above is an example of code to handle this case.

The meaning of this new code is the following:

- If a string fails to match the subpattern of the configuration, then  
execution will flow into ``else'' branch.

- Normally, the failure of a match is a failure (``got_positive''  
retains its initialized value of zero).

- However, where a failure is desired (the ``!'' in the specification  
subpattern), then the occurrence of a failure is a ``success'', so  
``got_positive'' should be set to one.

Initially, I was working with OpenSSH-3.9p1, but I see that the code  
remains consistent through OpenSSH-5.1p1, so I am reporting this  
change request relative to the newer version.



Respectfully,
Eric Sisson
-- 
Eric M. Sisson, Systems Analyst III               email: ems at mdacc.tmc.edu
Clinical Research Information Systems - Box 237   voice: 713-792-2629
University of Texas M. D. Anderson Cancer Center    fax: 713-745-0615
1515 Holcombe Boulevard
Houston, Texas  77030-4009

More information about the openssh-unix-dev mailing list