OpenSSH

Up ../

OpenSSH — alternative DenyUsers,AllowUsers,DenyGroups,AllowGroups policy

I am pretty sure this can be done using PAM (ie pam_access.so and /etc/security/access.conf) but this was originally under a unix that didn't support PAM (but had its own framework.)


NOTE
The Match option in sshd_config can be used to do much the same thing. eg

# @(#) /etc/ssh/sshd_config
DenyUsers root postfix
# Match criteria are ANDs
# eg Match Address 1.1.1.1 User teredo 
# means match User teredo from 1.1.1.1
Match Address 10.0.0.0/8
#..
Match Address 172.16.0.0/12
#..
Match Address 192.168.0.0/16
# ..
Match Group ssh_access
# ..


I wanted to deny some users outright, permit the rest access from the local network and some users (specified in a unix group) unrestricted access. eg

# @(#) /etc/ssh/sshd_config
# ...
# >> This does *not* work << -- See sshd_config(5)
	DenyUsers	root postfix
	AllowUsers	*@10.0.0.0/8 *@172.16.0.0/12 *@192.168.0.0/16
	AllowGroups	ssh_access

Looking at the code in auth.c it turns out that modifying this without doing too much violence to the original is fairly straight forward.

# @(#) /etc/ssh/sshd_config
# Turn on alternate policy otherwise business as usual.
	AlternateAllowPolicy    yes
# What do we do if we don't allow or deny a user explicitly?
	AllowByDefault  no

	DenyUsers	root postfix
	AllowUsers	*@10.0.0.0/8 *@172.16.0.0/12 *@192.168.0.0/16
	AllowGroups	ssh_access

The patch in files/ is against openssh 5.9p1 but the code in the affected files (auth.c, servconf.c, servconf.h) has remained substantially unchanged from 5.8p1.

Unpack the openssh-5.9p1 tarball, apply the patch, configure with usual switches appending:
--with-cppflags="-DALTERNATE_AUTH_POLICY=1"

  ./configure --prefix=/opt/openssh-5.9 --sysconfdir=/etc/openssh-5.9\
       --with-cppflags="-DALTERNATE_AUTH_POLICY=1"

LICENSE for patch only
Creative Commons CC0 http://creativecommons.org/publicdomain/zero/1.0/legalcode

AUTHOR (patch)
James Sainsbury