Bug 161893 - [patch] sshd(8) DenyUsers user@!*.dom doesn't work
Summary: [patch] sshd(8) DenyUsers user@!*.dom doesn't work
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.2-BETA1
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2011-10-22 09:50 UTC by lampa
Modified: 2022-10-17 12:39 UTC (History)
0 users

See Also:

Attachments
file.diff (496 bytes, patch)
2011-10-22 09:50 UTC, lampa 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lampa 2011-10-22 09:50:07 UTC 
This is long standing bug in openssh - negative pattern in DenyUsers doesn't work: 

/etc/ssh/sshd_config
..
DenyUsers user@!*local.dom

The reason is missing peace of code in crypto/openssh/match.c:

                /* Try to match the subpattern against the string. */
                if (match_pattern(string, sub)) {
..
+               } else {
+                       if (negated)
+                               got_positive = 1;
                }

After this change (and reinstall of libssh), user connecting from non-local domain is matched:

xxx sshd[11991]: User user from dns2.pavianetwork.com not allowed because listed in DenyUsers

How-To-Repeat: Use DenyUsers with negative domain pattern, it will not match.
Comment 1 lampa 2015-07-23 17:37:10 UTC 
STABLE-9.* - not fixed
STABLE-10.* - not fixed
10.2-BETA2 - still not fixed, patch is ok
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2018-05-21 00:00:08 UTC 
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2018-05-21 00:00:35 UTC 
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"
Comment 4 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:39:09 UTC 
Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>