Date: Sat, 22 Oct 2011 08:47:09 GMT From: Petr Lampa <lampa@fit.vutbr.cz> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/161893: sshd DenyUsers user@!*.dom doesn't work Message-ID: <201110220847.p9M8l9Td069545@red.freebsd.org> Resent-Message-ID: <201110220850.p9M8o8s9087333@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 161893
>Category: bin
>Synopsis: sshd DenyUsers user@!*.dom doesn't work
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Oct 22 08:50:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Petr Lampa
>Release: 8.2-STABLE
>Organization:
FIT VUT
>Environment:
FreeBSD xxxx z 8.2-STABLE FreeBSD 8.2-STABLE #20: Mon May 9 11:39:59 CEST 2011
>Description:
This is long standing bug in openssh - negative pattern in DenyUsers doesn't work:
/etc/ssh/sshd_config
..
DenyUsers user@!*local.dom
The reason is missing peace of code in crypto/openssh/match.c:
/* Try to match the subpattern against the string. */
if (match_pattern(string, sub)) {
..
+ } else {
+ if (negated)
+ got_positive = 1;
}
After this change (and reinstall of libssh), user connecting from non-local domain is matched:
xxx sshd[11991]: User user from dns2.pavianetwork.com not allowed because listed in DenyUsers
>How-To-Repeat:
Use DenyUsers with negative domain pattern, it will not match.
>Fix:
*** crypto/openssh/match.c.orig 2009-04-08 19:39:43.000000000 +0200
--- crypto/openssh/match.c 2009-04-08 19:39:46.000000000 +0200
***************
*** 159,164 ****
--- 159,167 ----
return -1; /* Negative */
else
got_positive = 1; /* Positive */
+ } else {
+ if (negated)
+ got_positive = 1;
}
}
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201110220847.p9M8l9Td069545>