Problem, possibly bug with AllowUsers & DenyUsers
Andy Tsouladze
andyb1 at andy-t.org
Fri May 9 15:25:04 EST 2008
On Fri, 9 May 2008, Peter Stuge wrote:
> On Thu, May 08, 2008 at 11:42:23PM -0500, Andy Tsouladze wrote:
>> Essentially, regular users should be able to login from any
>> network, while root should be able to login only from a private
>> network 192.168.88.0/22.
>
>> AllowUsers root at 192.168.88.* !root@*
>> Result: BAD. root can login only from 192.168.88.0/24 but other
>> users cannot login at all.
>
> What if you change the order and/or space to a comma?
>
> AllowUsers !root@*,root at 192.168.88.*
Tried it - does not make a difference. Besides, even
AllowUsers !root@*
alone does not work. I was not able to find a single instance where
negation would work.
> You could also try using Match.
Great idea! It does seem to accomplish what I need, but I have to use
multiple Match lines, like this:
PermitRootLogin no
Match Address 192.168.89.*
PermitRootLogin yes
Match Address 192.168.88.*
PermitRootLogin yes
...
BTW, negation does not work within Match block either...
Thanks a lot,
Andy
Dr Andy Tsouladze
Sr Unix SysAdmin/System Architect
United Airlines
More information about the openssh-unix-dev
mailing list