Re: Negated patterns in AllowedUsers
- From: Radek Hladik <radek@xxxxxxxxxx>
- Date: Tue, 04 Sep 2007 20:37:37 +0200
I need to login locally via ssh not by console. I want to incorporate SSH keys and agent forwaring to verify who can logon as root.
Christian Grunfeld napsal(a):
for root user is quite easy. Just put
This only allow you to login thru local console
2007/9/2, Radek Hladik <radek@xxxxxxxxxx>:Hi,
I am a little bit confused about patterns behavior when used in
AllowedUsers directive. I am trying to limit root logins to localhost.
First I tried
AllowedUsers root@localhost !root
which should enable root from localhost and all nonroot users from
anywhere. However the username part is matched with match_pattern
function and this function does not take ! into account (see func
match_user in match.c).
Secondly I tried
which should deny root when logging from anywhere but localhost.
Function match_host_and_ip does call match_hostname which calls
match_pattern_list. But if match_hostname function returns -1 which
means "match found and negation was requested", match_host_and_ip return
false as there would be no match. As fact at least one _positive_ match
is required to return true:
/* negative ipaddr match */
if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
/* negative hostname match */
if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
/* no match at all */
if (mhost == 0 && mip == 0)
Is there any reason for such a behavior? And is there any other way how
to limit root to localhost in sshd? I know I can limit it i.e. via
pam_access but I would expect sshd to be able to do it.
P.S. Version of OpenSSH is openssh-4.5p1