OpenSSH 4.7p1 - support the use of netgroups in AllowUsers and

Hello,

I have attached a small patch that enables OpenSSH 4.7p1 to use
netgroups for users and hosts entries in the AllowUsers and DenyUsers
configuration options in sshd_config.

This has the following advantages:

* hostnames or ip addresses don't have to be maintained in sshd_config,
but you can use meaningful names for groups of users and groups of
hosts.

* large scale installations can manage user groups and host groups in a
central name service like NIS, NIS+, LDAP.

* sshd_config files no longer change when users and/or hosts are
added/removed from the groups of users/hosts.

* administration effort for large installations is reduced

* maintaining a consistent setup across a large set of systems is much
easier.

* systems without PAM support (that cannot use e.g. pam_list or
pam_access) can now use netgroup based access restrictions.

* the patch uses innetgr(3c) so netgroups can be stored in NIS, NIS+ or
LDAP, or any other directory service that is plugged into nsswitch and
that has a netgroup back end.

The changes were developed by Albert Fluegel af@muc.de and he has given
me permission to submit them to OpenSSH. I have ported them to the
current OpenSSH version, 4.7p1. I also want to thank Darren J Moffat
for proposing to use innetgr(3c). Any errors in the attached code
though are strictly mine.


While the syntax is not the nicest one (@myusers@@myhosts is a valid
entry), but using @ as a netgroup name prefix seems to be fairly common
(e.g. Linux NFS exports, shosts/rhosts, ...). It also avoids that user
or host names are accidentally interpreted as netgroups or vice versa.


Cheers
--pwo


--
Peter W. Osel -- http://pwo.de/ -- pwo@pwo.de



---snip--snap-------------------------------------------------------------------

diff -ru openssh-4.7p1/match.c openssh-4.7p1_pwo0/match.c
--- openssh-4.7p1/match.c Fri Aug 4 22:39:40 2006
+++ openssh-4.7p1_pwo0/match.c Mon Sep 17 15:49:57 2007
@@ -204,6 +204,39 @@
}

/*
+ * match user in @netgroup
+ */
+int
+match_user_or_netgroup(const char *user, char *pattern)
+{
+ if(pattern[0] != '@')
+ return match_pattern(user, pattern);
+
+#ifdef HAVE_INNETGR
+ return innetgr(pattern + 1, NULL, user, NULL);
+#else
+ return 0;
+#endif
+}
+
+/*
+ * match host in @netgroup
+ */
+int
+match_host_and_ip_or_netgroup(const char *host, const char * ipaddr, char *pattern)
+{
+ if(pattern[0] != '@')
+ return match_host_and_ip(host, ipaddr, pattern);
+
+#ifdef HAVE_INNETGR
+ return innetgr(pattern + 1, host, NULL, NULL)
+ || innetgr(pattern + 1, ipaddr, NULL, NULL);
+#else
+ return 0;
+#endif
+}
+
+/*
* match user, user@host_or_ip, user@host_or_ip_list against pattern
*/
int
@@ -213,15 +246,18 @@
char *p, *pat;
int ret;

- if ((p = strchr(pattern,'@')) == NULL)
- return match_pattern(user, pattern);
+ if (strlen(pattern) < 1)
+ return 0;

+ if ((p = strchr(pattern + 1, '@')) == NULL)
+ return match_user_or_netgroup(user, pattern);
+
pat = xstrdup(pattern);
- p = strchr(pat, '@');
+ p = strchr(pat + 1, '@');
*p++ = '\0';

- if ((ret = match_pattern(user, pat)) == 1)
- ret = match_host_and_ip(host, ipaddr, p);
+ if ((ret = match_user_or_netgroup(user, pat)) == 1)
+ ret = match_host_and_ip_or_netgroup(host, ipaddr, p);
xfree(pat);

return ret;

diff -ru openssh-4.7p1/sshd_config.5 openssh-4.7p1_pwo0/sshd_config.5
--- openssh-4.7p1/sshd_config.5 Mon Jun 11 00:07:13 2007
+++ openssh-4.7p1_pwo0/sshd_config.5 Mon Sep 17 16:04:55 2007
@@ -130,7 +130,10 @@
By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST
are separately checked, restricting logins to particular
-users from particular hosts.
+users from particular hosts. If NIS or LDAP
+is available and netgroup querying is built in, either USER and
+HOST can be the name of a netgroup of users or hosts, respectively,
+prefixed with a @. Then @myusers@@myhosts is a valid entry here.
The allow/deny directives are processed in the following order:
.Cm DenyUsers ,
.Cm AllowUsers ,
@@ -268,8 +271,11 @@
By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST
are separately checked, restricting logins to particular
-users from particular hosts.
-The allow/deny directives are processed in the following order:
+users from particular hosts. If NIS or LDAP is available and
+netgroup querying is built in, either USER and HOST can be the
+name of a netgroup of users or hosts, respectively, prefixed with
+the character @ . Then e.g. @myusers@@myhosts is a valid entry
+here. The allow/deny directives are processed in the following order:
.Cm DenyUsers ,
.Cm AllowUsers ,
.Cm DenyGroups ,



---snip--snap-------------------------------------------------------------------
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev