1546 – sshd_config DenyUsers does not recognize negated host properly

Bug 1546 - sshd_config DenyUsers does not recognize negated host properly

Summary: sshd_config DenyUsers does not recognize negated host properly

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	5.1p1
Hardware:	All All

Importance:	P4 minor
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-12-19 07:53 AEDT by Eric Sisson
Modified:	2009-01-08 02:15 AEDT (History)
CC List:	0 users

See Also:

Attachments
diff output for file match.c (108 bytes, text/plain) 2008-12-19 07:53 AEDT, Eric Sisson	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eric Sisson 2008-12-19 07:53:59 AEDT

Created attachment 1590 [details]
diff output for file match.c

The following specification in sshd_config

  DenyUsers oracle@!localhost.localdomain

intended to allow user oracle to connect only from the localhost (that is, from another user already logged into the host) still allows user oracle to connect from remote hosts.

I traced this to the fact that function ``match_pattern_list'' in file ``match.c'' lacks code to handle this case. The attachment contains a diff to add the missing code in the form of an ``else'' branch to an ``if'' block near the end of the major ``for'' loop in the function.  Although the diff is relative to the 5.1p1 version, I encountered the problem working with the 3.9p1 version; the code is consistent in these versions.

The meaning of the additional code is the following:

- If a string fails to match the subpattern of the configuration, then execution will flow into ``else'' branch.

- Normally, the failure of a match is a failure (``got_positive'' retains its initialized value of zero).

- However, where a failure is desired (the ``!'' in the specification subpattern), then the occurrence of a failure is a ``success'', so ``got_positive'' should be set to one.

Comment 1 Eric Sisson 2009-01-08 02:15:53 AEDT

I had posted a message to openssh-unix-dev on this issue, and I received a reply suggesting that instead of modifying the code of OpenSSH to recognize my sshd_config configuration directive

  DenyUsers oracle@!localhost.localdomain

I should specify instead

  DenyUsers oracle@*,!localhost.localdomain

I have tried this and it does work. However, this seems less direct and obvious than my (unsuccessful) specification, and I still think that mine should be allowed to work. I will admit that my proposed change may have unintended consequences.

At this point, I am not sure whether the problem properly may be described as a logic error in the code, obscure semantics of the pattern-matching algorithm, or incomplete documentation of the pattern-matching specifications.

I will defer to the judgement of the OpenSSH team on how best to handle this situation.