OpenSSH

Up ../

OpenSSH — alternative DenyUsers,AllowUsers,DenyGroups,AllowGroups policy

I am pretty sure this can be done using PAM (ie pam_access.so and /etc/security/access.conf) but this was under a unix that doesn't support PAM (but has its own framework.)

I wanted to deny some users outright, permit the rest access from the local network and some users (specified in a unix group) unrestricted access. eg

# @(#) /etc/ssh/sshd_config
# ...
# >> This does *not* work << -- See sshd_config(5)
	DenyUsers	root postfix
	AllowUsers	*@10.0.0.0/8 *@172.16.0.0/12 *@192.168.0.0/16
	AllowGroups	ssh_access

Looking at the code in auth.c it turns out that modifying this without doing too much violence to the original is fairly straight forward.

# @(#) /etc/ssh/sshd_config
# Turn on alternate policy otherwise business as usual.
	AlternateAllowPolicy    yes
# What do we do if we don't allow or deny a user explicitly?
	AllowByDefault  no

	DenyUsers	root postfix
	AllowUsers	*@10.0.0.0/8 *@172.16.0.0/12 *@192.168.0.0/16
	AllowGroups	ssh_access

The patch in files/ is against openssh 5.9p1 but the code in the affected files (auth.c, servconf.c, servconf.h) has remained substantially unchanged from 5.8p1.

Unpack the openssh-5.9p1 tarball, apply the patch, configure with usual switches appending:
--with-cppflags="-DALTERNATE_AUTH_POLICY=1"

  ./configure --prefix=/opt/openssh-5.9 --sysconfdir=/etc/openssh-5.9\
       --with-cppflags="-DALTERNATE_AUTH_POLICY=1"