This is long standing bug in openssh - negative pattern in DenyUsers doesn't work: /etc/ssh/sshd_config .. DenyUsers user@!*local.dom The reason is missing peace of code in crypto/openssh/match.c: /* Try to match the subpattern against the string. */ if (match_pattern(string, sub)) { .. + } else { + if (negated) + got_positive = 1; } After this change (and reinstall of libssh), user connecting from non-local domain is matched: xxx sshd[11991]: User user from dns2.pavianetwork.com not allowed because listed in DenyUsers How-To-Repeat: Use DenyUsers with negative domain pattern, it will not match.
STABLE-9.* - not fixed STABLE-10.* - not fixed 10.2-BETA2 - still not fixed, patch is ok
For bugs matching the following conditions: - Status == In Progress - Assignee == "bugs@FreeBSD.org" - Last Modified Year <= 2017 Do - Set Status to "Open"
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>