Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
USER and HOST are supposed to be checked separately and since patterns can be used, and they used to work, they should still work in the newer versions for HOST:
" DenyUsers
This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns."
I'd say it's probably a bug. Report it for your distro.
USER and HOST are supposed to be checked separately and since patterns can be used, and they used to work, they should still work in the newer versions for HOST:
" DenyUsers
This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns."
I'd say it's probably a bug. Report it for your distro.
Thanks for your reply. Unfortunately I tested this on Debian 9, and the bug is there too. So it's not distro-specific. Negation simply does not seem to work well with openSSH?
Unfortunately I tested this on Debian 9, and the bug is there too. So it's not distro-specific.
Then it might be a regression upstream. Did the release notes between now and the last version that worked have any mention of changing how patterns are done with DenyUsers?
Thank you both for your replies. Yes, it seems that this is indeed a bug.
This:
Quote:
To calibrate expectations, there's little chance all of these are going to make 7.6.
..was not very comforting. I will have to try and implement a solution that does not require negation for now - even though it will make it more cumbersome.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.