Problem, possibly bug with AllowUsers & DenyUsers

Hi there,

I have just compiled openssh-5.0 on Solaris 10, and am trying to set up
a certain pattern of user access control. Essentially, regular users
should be able to login from any network, while root should be able to
login only from a private network 192.168.88.0/22. Actually, for the
purpose of sshd_config, this is four networks, but that's another story...

Here is what I tried:

DenyUsers root@!192.168.88.*
Result: root can login from anywhere while I expected it to be allowed
only from 192.168.88.0/24

So I ran a number of tests to see which will work correctly.

DenyUsers root@192.168.88.40 # I used this client
Result: GOOD. root access denied from 192.168.88.40, allowed from other
places.

DenyUsers root@192.168.88.*
Result: GOOD. root access denied from 192.168.88.0/24, allowed from other
places.

DenyUsers root@!192.168.88.44
Result: BAD. root can login from 192.168.88.40, or anywhere else

So it seems the negation does not work.

Continued tests:

AllowUsers root@192.168.88.*
Result: GOOD. root can login only from 192.168.88.0/24.

AllowUsers root@!192.168.88.44
Result: BAD. root cannot login from anywhere. In fact, no one can.

AllowUsers root@!192.168.88.*
Result: BAD. root cannot login from anywhere. In fact, no one can.

AllowUsers root@192.168.88.* !root@*
Result: BAD. root can login only from 192.168.88.0/24 but other users
cannot login at all.

AllowUsers !root@*
Result: BAD. No one can login from anywhere

AllowUsers !root
Result: BAD. No one can login from anywhere

Conclusion: Negation (!) does not work for either `user' or `address'.
Am I doing something wrong, or is this truly broken?

If more information is needed, I will be happy to provide it.

Regards,

Andy

Dr Andy Tsouladze
Sr Unix SysAdmin/System Architect
United Airlines
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev