Bug 161893

Summary: [patch] sshd(8) DenyUsers user@!*.dom doesn't work
Product: Base System Reporter: lampa
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me Keywords: patch
Priority: Normal    
Version: 10.2-BETA1   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description lampa 2011-10-22 09:50:07 UTC
This is long standing bug in openssh - negative pattern in DenyUsers doesn't work: 

/etc/ssh/sshd_config
..
DenyUsers user@!*local.dom

The reason is missing peace of code in crypto/openssh/match.c:

                /* Try to match the subpattern against the string. */
                if (match_pattern(string, sub)) {
..
+               } else {
+                       if (negated)
+                               got_positive = 1;
                }

After this change (and reinstall of libssh), user connecting from non-local domain is matched:

xxx sshd[11991]: User user from dns2.pavianetwork.com not allowed because listed in DenyUsers

How-To-Repeat: Use DenyUsers with negative domain pattern, it will not match.
Comment 1 lampa 2015-07-23 17:37:10 UTC
STABLE-9.* - not fixed
STABLE-10.* - not fixed
10.2-BETA2 - still not fixed, patch is ok
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2018-05-21 00:00:08 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2018-05-21 00:00:35 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"
Comment 4 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:39:09 UTC
Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>