Problem, possibly bug with AllowUsers & DenyUsers
Andy Tsouladze
andyb1 at andy-t.org
Fri May 9 14:42:23 EST 2008
Hi there,
I have just compiled openssh-5.0 on Solaris 10, and am trying to set up
a certain pattern of user access control. Essentially, regular users
should be able to login from any network, while root should be able to
login only from a private network 192.168.88.0/22. Actually, for the
purpose of sshd_config, this is four networks, but that's another story...
Here is what I tried:
DenyUsers root@!192.168.88.*
Result: root can login from anywhere while I expected it to be allowed
only from 192.168.88.0/24
So I ran a number of tests to see which will work correctly.
DenyUsers root at 192.168.88.40 # I used this client
Result: GOOD. root access denied from 192.168.88.40, allowed from other
places.
DenyUsers root at 192.168.88.*
Result: GOOD. root access denied from 192.168.88.0/24, allowed from other
places.
DenyUsers root@!192.168.88.44
Result: BAD. root can login from 192.168.88.40, or anywhere else
So it seems the negation does not work.
Continued tests:
AllowUsers root at 192.168.88.*
Result: GOOD. root can login only from 192.168.88.0/24.
AllowUsers root@!192.168.88.44
Result: BAD. root cannot login from anywhere. In fact, no one can.
AllowUsers root@!192.168.88.*
Result: BAD. root cannot login from anywhere. In fact, no one can.
AllowUsers root at 192.168.88.* !root@*
Result: BAD. root can login only from 192.168.88.0/24 but other users
cannot login at all.
AllowUsers !root@*
Result: BAD. No one can login from anywhere
AllowUsers !root
Result: BAD. No one can login from anywhere
Conclusion: Negation (!) does not work for either `user' or `address'.
Am I doing something wrong, or is this truly broken?
If more information is needed, I will be happy to provide it.
Regards,
Andy
Dr Andy Tsouladze
Sr Unix SysAdmin/System Architect
United Airlines
More information about the openssh-unix-dev
mailing list