Contribution to 3.8.1pl1
TDSCAF
tdsc.af at infineon.com
Tue May 11 01:54:15 EST 2004
Hi,
here another implementation for using netgroups in
{Allow|Deny}Users, that is independent from NIS and
should also work with LDAP netgroups, if the libraries
on the respective OS support this.
Hello,
I added the support for netgroups to be used in the
AllowUsers and DenyUsers parameters. This has some
advantages:
* hostnames or ip addresses need not to be written or
maintained in the sshd_config file, but can be kept
abstract names what also simplifies a bit largescale
openssh installations
* sshd_config needs not change and sshd be restarted
when changing the list of allowed / denied users/hosts
in the NIS netgroups
Though considered to be dead some time in the future,
NIS still serves it's purpose in many environments.
The netgroups will make their way into LDAP some time
in the future, then i'll probably post another patch.
For now i added the functionality mainly in the match.c
file, adapted man-page files and autoconf to figure
out automatically, if NIS client support is available
on the platform. The attached patch can be applied
changing to the source directory of 3.8.1pl1 and
running
gunzip < /path/to/openssh-3.8.1p1.patch_af.gz | patch -p 1
Hope this will be included into the official distribution.
Everyone is welcome to review the modifications.
Regards,
Albert
--
diff -ru openssh-3.8.1p1/match.c openssh-3.8.1p1.paf/match.c
--- openssh-3.8.1p1/match.c Tue Mar 5 02:42:43 2002
+++ openssh-3.8.1p1.paf/match.c Mon May 10 09:42:14 2004
@@ -199,6 +199,39 @@
}
/*
+ * match user in @netgroup
+ */
+int
+match_user_or_netgroup(const char *user, char *pattern)
+{
+ if(pattern[0] != '@')
+ return match_pattern(user, pattern);
+
+#ifdef HAVE_INNETGR
+ return innetgr(pattern + 1, NULL, user, NULL);
+#else
+ return 0;
+#endif
+}
+
+/*
+ * match host in @netgroup
+ */
+int
+match_host_and_ip_or_netgroup(const char *host, const char * ipaddr, char *pattern)
+{
+ if(pattern[0] != '@')
+ return match_host_and_ip(host, ipaddr, pattern);
+
+#ifdef HAVE_INNETGR
+ return innetgr(pattern + 1, host, NULL, NULL)
+ || innetgr(pattern + 1, ipaddr, NULL, NULL);
+#else
+ return 0;
+#endif
+}
+
+/*
* match user, user at host_or_ip, user at host_or_ip_list against pattern
*/
int
@@ -208,15 +241,18 @@
char *p, *pat;
int ret;
- if ((p = strchr(pattern,'@')) == NULL)
- return match_pattern(user, pattern);
+ if (strlen(pattern) < 1)
+ return 0;
+
+ if ((p = strchr(pattern + 1, '@')) == NULL)
+ return match_user_or_netgroup(user, pattern);
pat = xstrdup(pattern);
- p = strchr(pat, '@');
+ p = strchr(pat + 1, '@');
*p++ = '\0';
- if ((ret = match_pattern(user, pat)) == 1)
- ret = match_host_and_ip(host, ipaddr, p);
+ if ((ret = match_user_or_netgroup(user, pat)) == 1)
+ ret = match_host_and_ip_or_netgroup(host, ipaddr, p);
xfree(pat);
return ret;
diff -ru openssh-3.8.1p1/sshd_config.0 openssh-3.8.1p1.paf/sshd_config.0
--- openssh-3.8.1p1/sshd_config.0 Sun Apr 18 14:52:00 2004
+++ openssh-3.8.1p1.paf/sshd_config.0 Thu May 6 17:31:35 2004
@@ -37,7 +37,10 @@
merical user ID is not recognized. By default, login is allowed
for all users. If the pattern takes the form USER at HOST then USER
and HOST are separately checked, restricting logins to particular
- users from particular hosts.
+ users from particular hosts. If NIS is available and netgroup
+ querying is built in, either USER and HOST can be the name of a
+ netgroup of users or hosts, respectively, prefixed with a @ . Then
+ @myusers@@myhosts is a valid entry here.
AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
@@ -112,7 +115,10 @@
is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER at HOST then USER and HOST are
separately checked, restricting logins to particular users from
- particular hosts.
+ particular hosts. If NIS is available and netgroup querying is
+ built in, either USER and HOST can be the name of a netgroup of
+ users or hosts, respectively, prefixed with the character @ .
+ Then e.g. @myusers@@myhosts is a valid entry here.
GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
diff -ru openssh-3.8.1p1/sshd_config.5 openssh-3.8.1p1.paf/sshd_config.5
--- openssh-3.8.1p1/sshd_config.5 Wed Apr 14 05:04:36 2004
+++ openssh-3.8.1p1.paf/sshd_config.5 Thu May 6 17:54:27 2004
@@ -96,7 +96,10 @@
By default, login is allowed for all users.
If the pattern takes the form USER at HOST then USER and HOST
are separately checked, restricting logins to particular
-users from particular hosts.
+users from particular hosts. If NIS is available and netgroup
+querying is built in, either USER and HOST can be the name of a
+netgroup of users or hosts, respectively, prefixed with a @ . Then
+ at myusers@@myhosts is a valid entry here.
.Pp
.It Cm AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
@@ -206,7 +209,10 @@
By default, login is allowed for all users.
If the pattern takes the form USER at HOST then USER and HOST
are separately checked, restricting logins to particular
-users from particular hosts.
+users from particular hosts. If NIS is available and netgroup querying is
+built in, either USER and HOST can be the name of a netgroup of
+users or hosts, respectively, prefixed with the character @ .
+Then e.g. @myusers@@myhosts is a valid entry here.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
--
Albert Fluegel science + computing ag
IT Services Ingolstaedter Straße 22
phone +49 89 356386 851 80807 Muenchen, Germany
fax +49 89 356386 737 www.science-computing.de
________________________________at Infineon
tdsc.af at infineon.com phone +49 89 234 27690
More information about the openssh-unix-dev
mailing list