2397 – Match block doesn't match negated addresses

Bug 2397 - Match block doesn't match negated addresses

Summary: Match block doesn't match negated addresses

Status:	CLOSED DUPLICATE of bug 1918

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	6.8p1
Hardware:	Other Linux

Importance:	P5 minor
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:	1918
Blocks:
	Show dependency tree / graph

Reported:	2015-05-13 01:40 AEST by Jakub Jelen
Modified:	2018-04-06 12:26 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
proposed patch (328 bytes, text/plain) 2015-05-13 01:40 AEST, Jakub Jelen	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jakub Jelen 2015-05-13 01:40:38 AEST

Created attachment 2619 [details]
proposed patch

Recently we got some report about sshd_config documentation and behaviour in corner cases. One of the problems found during the analysis was that when using Match blocks, we are unable to match negated addresses.

In this example, the block is *never* matched:

[root@r6 ~]# tail -n 3 /etc/ssh/sshd_config
AuthenticationMethods password
Match Address !1.2.3.4
    AuthenticationMethods publickey,password

[root@r6 build]# sshd -TC user=none,host=myhost,addr=1.2.3.4 | grep authenticationmethods
authenticationmethods password
[root@r6 build]# sshd -TC user=none,host=myhost,addr=1.2.3.5 | grep authenticationmethods
authenticationmethods password
## should return "authenticationmethods publickey,password"

From this issue I got to function addr_match_list, that is not handling properly negated addresses. I put together few assertions that should apply from my point of view:

assert(addr_match_list("1.2.3.4", "1.2.3.4") == 1);
assert(addr_match_list("1.2.3.4", "1.2.3.5") == 0);
assert(addr_match_list("1.2.3.4", "!1.2.3.5") == 1); // current version returns 0
assert(addr_match_list("1.2.3.4", "!1.2.3.4") == -1);
assert(addr_match_list("1.2.3.4", "1.2.3.4,1.2.3.5") == 1);
assert(addr_match_list("1.2.3.4", "1.2.3.5,1.2.3.6") == 0);
assert(addr_match_list("1.2.3.4", "!1.2.3.5,!1.2.3.6") == 1); // current version returns 0
assert(addr_match_list("1.2.3.4", "!1.2.3.4,!1.2.3.5") == -1);
assert(addr_match_list("1.2.3.4", "1.2.3.5,1.2.3.4") == 1);
assert(addr_match_list("1.2.3.4", "!1.2.3.5,!1.2.3.4") == -1);

I believe that this change can be potentially regression, but I would like you to review this issue and attached patch. If you wish, I can also create some unit test or ellaborate on this topic more.

Comment 1 Damien Miller 2015-05-22 13:30:36 AEST

match_pattern_list() is similarly broken, see bug 1918

IMO we should fix them both at once and have a unit test for both. And do it in the 7.0 release, where we are a bit more willing to break stuff.

Comment 2 Damien Miller 2016-02-26 14:44:31 AEDT

Retarget to openssh-7.3

Comment 3 Damien Miller 2016-02-26 14:47:24 AEDT

Retarget to openssh-7.3

Comment 4 Damien Miller 2016-07-22 14:10:57 AEST

retarget unfinished bugs to next release

Comment 5 Damien Miller 2016-07-22 14:14:50 AEST

retarget unfinished bugs to next release

Comment 6 Damien Miller 2016-07-22 14:15:51 AEST

retarget unfinished bugs to next release

Comment 7 Damien Miller 2016-07-22 14:17:16 AEST

retarget unfinished bugs to next release

Comment 8 Damien Miller 2016-08-23 14:35:05 AEST

This is fixed and will be in the OpenSSH 7.4 release. Thanks!

commit cc182d01cef8ca35a1d25ea9bf4e2ff72e588208
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Aug 23 03:24:10 2016 +0000

    upstream commit
    
    fix negated address matching where the address list
    consists of a single negated match, e.g. "Match addr !192.20.0.1"
    
    Report and patch from Jakub Jelen. bz#2397 ok dtucker@
    
    Upstream-ID: 01dcac3f3e6ca47518cf293e31c73597a4bb40d8

Comment 9 Damien Miller 2016-09-22 02:59:10 AEST

I've reverted this fix because it yields surprising behaviour, e.g.

Match address 2002::/16,!::1

will also match 10.0.0.1 (I'm using the example from bug #1918, but the same logic applies here too). I'll look at a better fix, probably a combination of special-casing match strings that consist solely of negated matches and better documentation.

Comment 10 Damien Miller 2016-12-16 14:31:23 AEDT

OpenSSH 7.4 release is closing; punt the bugs to 7.5

Comment 11 Damien Miller 2017-06-30 13:43:00 AEST

Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back.

To calibrate expectations, there's little chance all of these are going to make 7.6.

Comment 12 Damien Miller 2017-06-30 13:44:30 AEST

remove 7.5 target

Comment 13 Damien Miller 2017-08-25 18:55:17 AEST

Merge this with the other match bug because I'm going to tackle them together

*** This bug has been marked as a duplicate of bug 1918 ***

Comment 14 Damien Miller 2018-04-06 12:26:53 AEST

Close all resolved bugs after release of OpenSSH 7.7.