Created attachment 2061 [details] patch to fix the 'bug' The code in match_pattern_list will never return 1 for a pattern with all negated entries. In particular this match line can never succeed Match User !adminguy Group sftponly The problem is that the code at match.c line 157 only tests for negation in the case of successful matching. In this case we want the User test to succeed if the user is not adminguy. That can happen if the code is patched to set get_positive if a failed match is negated. The attached trivial patch does that. Of course I am making the rather feeble assumption that negated failure == true
Retarget from 6.0 to 6.1
Retarget 6.0 => 6.1
Retarget uncompleted bugs from 6.1 => 6.2
Retarget bugs from 6.1 => 6.2
retarget to openssh-6.3
Retarget to openssh-6.4
Retarget 6.3 -> 6.4
Retarget incomplete bugs / feature requests to 6.6 release
Retarget to 6.7 release, since 6.6 was mostly bugfixing.
Remove from 6.6 tracking bug
Retarget incomplete bugs to 6.8 release.
These bugs are no longer targeted at the imminent 6.7 release
OpenSSH 6.8 is approaching release and closed for major work. Retarget these bugs for the next release.
Retarget to 6.9
*** Bug 1680 has been marked as a duplicate of this bug. ***
This has some chance at breaking existing configurations, so retarget to the 7.0 release where we are a little more tolerant of breakage.
Retarget pending bugs to openssh-7.1
Retarget to openssh-7.3
retarget unfinished bugs to next release
This is fixed and will be in the OpenSSH 7.4 release. Thanks! commit 4067ec8a4c64ccf16250c35ff577b4422767da64 Author: djm@openbsd.org <djm@openbsd.org> Date: Tue Aug 23 03:22:49 2016 +0000 upstream commit fix matching for pattern lists that contain a single negated match, e.g. "Host !example" report and patch from Robin Becker. bz#1918 ok dtucker@ Upstream-ID: 05a0cb323ea4bc20e98db099b42c067bfb9ea1ea
I guess all's well that ends well :)
I've reverted this fix because it yields surprising behaviour, e.g. Match address 2002::/16,!::1 will also match 10.0.0.1. I'll look at a better fix, probably a combination of special-casing match strings that consist solely of negated matches and better documentation.
OpenSSH 7.4 release is closing; punt the bugs to 7.5
Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back. To calibrate expectations, there's little chance all of these are going to make 7.6.
remove 7.5 target
*** Bug 2397 has been marked as a duplicate of this bug. ***
Created attachment 3039 [details] improved negated match heuristic Revisiting this, I think I've come up with a heuristic that doesn't yield horrible surprises: If a pattern-list contains a mixture of negated and non-negated patterns, then it will only return success if the comparison string matches one of the non-negated patterns. E.g. match("foo.example.com", "!bar.example.com,*.example.com") => success match("bar.example.com", "!bar.example.com,*.example.com") => failure match("notexample.com", "!bar.example.com,*.example.com") => failure If the pattern-list contains only negated matches. the it will return success if none of them match. E.g. match("a", "!a,!b") => failure match("a", "!b,!c") => success These examples use test strings, but the same logic applies for address matching too. This patch implements this heuristic and adds unit tests for it.
I couldn't reach consensus with the other developers on applying this patch, so have clarified the documentation instead: > Note that a negated match will never produce a positive result > by itself. For example, attempting to match "host3" against the > following pattern-list will fail: > > from="!host1,!host2" > > The solution here is to include a term that will yield a > positive match, such as a wildcard: > > from="!host1,!host2,*"
Close all resolved bugs after release of OpenSSH 7.7.