Re: Negated patterns in AllowedUsers

I need to login locally via ssh not by console. I want to incorporate SSH keys and agent forwaring to verify who can logon as root.


Christian Grunfeld napsal(a):

for root user is quite easy. Just put
PermitRootLogin No

in sshd_config

This only allow you to login thru local console


2007/9/2, Radek Hladik <radek@xxxxxxxxxx>:
I am a little bit confused about patterns behavior when used in
AllowedUsers directive. I am trying to limit root logins to localhost.
First I tried
AllowedUsers root@localhost !root
which should enable root from localhost and all nonroot users from
anywhere. However the username part is matched with match_pattern
function and this function does not take ! into account (see func
match_user in match.c).
Secondly I tried
DenyUsers root@!localhost
which should deny root when logging from anywhere but localhost.
Function match_host_and_ip does call match_hostname which calls
match_pattern_list. But if match_hostname function returns -1 which
means "match found and negation was requested", match_host_and_ip return
false as there would be no match. As fact at least one _positive_ match
is required to return true:

/* negative ipaddr match */
if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
return 0;
/* negative hostname match */
if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
return 0;
/* no match at all */
if (mhost == 0 && mip == 0)
return 0;
return 1;

Is there any reason for such a behavior? And is there any other way how
to limit root to localhost in sshd? I know I can limit it i.e. via
pam_access but I would expect sshd to be able to do it.

Radek Hladik

P.S. Version of OpenSSH is openssh-4.5p1

Relevant Pages

  • Re: su: not running setuid
    ... No I am not able to login as root from other consoles also. ... It is not accepting my uname and passwd. ... Can you even log in as root from the console? ...
  • Re: logging console login
    ... What i want in common with Linux and Solaris is console logins to ... least network logins can be bared from root login and force people to login as themselves and switch user, but root login at the console is ... Solaris and Linux log this event without any further configuration, but with HP and AIX for that matter they dont at the moment. ...
  • SUMARY: Cant login as root
    ... As a result, i was not able to log in as root, neither create a new ... Asunto: RE: Can't login as root ... > console. ... > If we log as any other user everythig is ok, but we cannot either do su-. ...
  • Solaris root login only at console question
    ... so that direct root login isn't allowed except on the console. ... If I supply the incorrect password, I get another prompt for username: ...
  • Re: Root password expired - not your typical case
    ... Within the last couple days the root password expired. ... When I attempt to login at the console as root, ... It is possible to disable root logins from the console and doing so is even recommended as a security precaution. ...