Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SSH login failure with conflicting group permissions #9

Merged
merged 15 commits into from
Feb 25, 2020
Merged

Fix SSH login failure with conflicting group permissions #9

merged 15 commits into from
Feb 25, 2020

Conversation

stephdl
Copy link
Contributor

@stephdl stephdl commented Feb 11, 2020
edited by DavidePrincipi

@stephdl stephdl changed the title Grant to SSH in case of membership of multi group SSH login failure with conflicting group permissions Feb 11, 2020
@nethbot
Copy link
Member

nethbot commented Feb 11, 2020

in 7.7.1908/autobuild:

@nethbot
Copy link
Member

nethbot commented Feb 11, 2020

in 7.7.1908/autobuild:

@DavidePrincipi DavidePrincipi changed the title SSH login failure with conflicting group permissions Fix SSH login failure with conflicting group permissions Feb 11, 2020
DavidePrincipi
DavidePrincipi reviewed Feb 12, 2020
View reviewed changes
Copy link
Member

@DavidePrincipi DavidePrincipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I think this approach can fix the bug.

I read again man ssh_config, the PATTERNS section. It seems the ! (not) operator can do the job.

Maybe we could reduce the patch size with a couple of changes...

root/etc/e-smith/templates/etc/ssh/sshd_config/70Restricted2Sftp Outdated Show resolved Hide resolved
root/etc/e-smith/templates/etc/ssh/sshd_config/70Restricted2Sftp Outdated Show resolved Hide resolved
root/etc/e-smith/templates/etc/ssh/sshd_config/70Restricted2Sftp Outdated Show resolved Hide resolved
@nethbot
Copy link
Member

nethbot commented Feb 12, 2020

in 7.7.1908/autobuild:

@DavidePrincipi
Copy link
Member

This patch seems to fix the bug, however wait a moment to merge it. We must be sure it can work with the planned enhancement NethServer/dev#6059

@nethbot
Copy link
Member

nethbot commented Feb 12, 2020

in 7.7.1908/autobuild:

@nethbot
Copy link
Member

nethbot commented Feb 12, 2020

in 7.7.1908/autobuild:

@nethbot
Copy link
Member

nethbot commented Feb 12, 2020

in 7.7.1908/autobuild:

@nethbot
Copy link
Member

nethbot commented Feb 12, 2020

in 7.7.1908/autobuild:

@nethbot
Copy link
Member

nethbot commented Feb 13, 2020

in 7.7.1908/autobuild:

@nethbot
Copy link
Member

nethbot commented Feb 13, 2020

in 7.7.1908/autobuild:

@nethbot
Copy link
Member

nethbot commented Feb 13, 2020

in 7.7.1908/autobuild:

DavidePrincipi
DavidePrincipi reviewed Feb 14, 2020
View reviewed changes
Copy link
Member

@DavidePrincipi DavidePrincipi left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary: I bet we don't need to record the groups with SFTP only access. On the contrary, we are interested in the list of those who can access SSH. Anyone else can do SFTP, provided login permission is granted.

This is the logic of the MatchGroup/MatchAll directives: we can take advantage of it!

root/etc/e-smith/templates/etc/ssh/sshd_config/45AllowGroups2Sshd Outdated Show resolved Hide resolved
root/etc/e-smith/templates/etc/ssh/sshd_config/45AllowGroups2Sshd Outdated Show resolved Hide resolved
root/etc/e-smith/templates/etc/ssh/sshd_config/45AllowGroups2Sshd Outdated Show resolved Hide resolved
root/etc/e-smith/templates/etc/ssh/sshd_config/70Restricted2Sftp Outdated Show resolved Hide resolved
root/etc/e-smith/templates/etc/ssh/sshd_config/70Restricted2Sftp Outdated Show resolved Hide resolved
root/etc/e-smith/templates/etc/ssh/sshd_config/70Restricted2Sftp Outdated Show resolved Hide resolved
@nethbot
Copy link
Member

nethbot commented Feb 14, 2020

in 7.7.1908/autobuild:

@nethbot
Copy link
Member

nethbot commented Feb 24, 2020

in 7.7.1908/autobuild:

@stephdl stephdl merged commit 496bfb1 into NethServer:master Feb 25, 2020
@stephdl stephdl deleted the GH6058 branch February 25, 2020 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DavidePrincipi DavidePrincipi DavidePrincipi approved these changes

Assignees

@stephdl stephdl

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@stephdl @nethbot @DavidePrincipi