From nobody@FreeBSD.org Sat Oct 22 08:47:11 2011 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CB9E1065673 for ; Sat, 22 Oct 2011 08:47:11 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id F16258FC08 for ; Sat, 22 Oct 2011 08:47:10 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p9M8l9kO069546 for ; Sat, 22 Oct 2011 08:47:09 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p9M8l9Td069545; Sat, 22 Oct 2011 08:47:09 GMT (envelope-from nobody) Message-Id: <201110220847.p9M8l9Td069545@red.freebsd.org> Date: Sat, 22 Oct 2011 08:47:09 GMT From: Petr Lampa To: freebsd-gnats-submit@FreeBSD.org Subject: sshd DenyUsers user@!*.dom doesn't work X-Send-Pr-Version: www-3.1 X-GNATS-Notify: >Number: 161893 >Category: bin >Synopsis: [patch] sshd(8) DenyUsers user@!*.dom doesn't work >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Oct 22 08:50:07 UTC 2011 >Closed-Date: >Last-Modified: Sat Oct 22 16:05:06 UTC 2011 >Originator: Petr Lampa >Release: 8.2-STABLE >Organization: FIT VUT >Environment: FreeBSD xxxx z 8.2-STABLE FreeBSD 8.2-STABLE #20: Mon May 9 11:39:59 CEST 2011 >Description: This is long standing bug in openssh - negative pattern in DenyUsers doesn't work: /etc/ssh/sshd_config .. DenyUsers user@!*local.dom The reason is missing peace of code in crypto/openssh/match.c: /* Try to match the subpattern against the string. */ if (match_pattern(string, sub)) { .. + } else { + if (negated) + got_positive = 1; } After this change (and reinstall of libssh), user connecting from non-local domain is matched: xxx sshd[11991]: User user from dns2.pavianetwork.com not allowed because listed in DenyUsers >How-To-Repeat: Use DenyUsers with negative domain pattern, it will not match. >Fix: *** crypto/openssh/match.c.orig 2009-04-08 19:39:43.000000000 +0200 --- crypto/openssh/match.c 2009-04-08 19:39:46.000000000 +0200 *************** *** 159,164 **** --- 159,167 ---- return -1; /* Negative */ else got_positive = 1; /* Positive */ + } else { + if (negated) + got_positive = 1; } } >Release-Note: >Audit-Trail: >Unformatted: