Bug 161893 - [patch] sshd(8) DenyUsers user@!*.dom doesn't work
Summary: [patch] sshd(8) DenyUsers user@!*.dom doesn't work
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.2-BETA1
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-22 09:50 UTC by lampa
Modified: 2018-05-21 00:00 UTC (History)
0 users

See Also:


Attachments
file.diff (496 bytes, patch)
2011-10-22 09:50 UTC, lampa
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description lampa 2011-10-22 09:50:07 UTC
This is long standing bug in openssh - negative pattern in DenyUsers doesn't work: 

/etc/ssh/sshd_config
..
DenyUsers user@!*local.dom

The reason is missing peace of code in crypto/openssh/match.c:

                /* Try to match the subpattern against the string. */
                if (match_pattern(string, sub)) {
..
+               } else {
+                       if (negated)
+                               got_positive = 1;
                }

After this change (and reinstall of libssh), user connecting from non-local domain is matched:

xxx sshd[11991]: User user from dns2.pavianetwork.com not allowed because listed in DenyUsers

How-To-Repeat: Use DenyUsers with negative domain pattern, it will not match.
Comment 1 lampa 2015-07-23 17:37:10 UTC
STABLE-9.* - not fixed
STABLE-10.* - not fixed
10.2-BETA2 - still not fixed, patch is ok
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2018-05-21 00:00:08 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2018-05-21 00:00:35 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"