HPE Community
Operating System - OpenVMS
1827459 Members
4674 Online
109965 Solutions
New Discussion

sshd2_config and wildcarding AllowHosts?

 
Aaron Sakovich
Super Advisor

‎04-11-2005 06:22 AM

‎04-11-2005 06:22 AM

sshd2_config and wildcarding AllowHosts?

Is there any way to provide a wildcard expression for the AllowHosts field? I've got a site where they want to restrict access to their server to only hosts properly registered in our DNS. However, doing a simple "localhost, *.s.com" doesn't work. Looking around on the net, and I've found references to regex, egrep, and zsh_fileglob expressions, but haven't been able to get any of them to work. And I've tried a lot of them, until my eyes blurred...

The only wildcard I can get to work is "*". I'd like to be a little less general than that.

Has anyone gotten it to work with TCP/IP v5.4 ECO4? Tips or tricks welcome...

Aaron-who's-very-frustrated-with-U*X-lack-of-wildcards
0 Kudos
Reply
13 REPLIES 13
Martin Vorlaender
Honored Contributor

‎04-11-2005 06:58 PM

‎04-11-2005 06:58 PM

Re: sshd2_config and wildcarding AllowHosts?

Aaron,

according to The SSH Book (SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman; O'Reilly 2001; section 5.5.2.4) - to which the TCP/IP Services SSH manual refers the reader - the AllowHosts and DenyHosts values have the following syntax:

- Values may contain regular expressions (see e.g. http://h30097.www3.hp.com/docs/ssh/ssh32/MAN/MAN5/0001____.HTM ).

- Values may contain multiple strings separated by commas.

- Keywords may appear multiple times, and the results are cumulative.

- Hostnames or IP addresses may be used.

HTH,
Martin
0 Kudos
Reply
Aaron Sakovich
Super Advisor

‎04-12-2005 02:30 AM

‎04-12-2005 02:30 AM

Re: sshd2_config and wildcarding AllowHosts?

Sorry, I should have let you know that I've already tried using that document, but still haven't gotten anything to work.

What does work: localhost, node.company.dom, *

A few samples of some others I've tried that don't work:

*.company.dom
*company.dom
$company.dom
company.dom$
company.dom(1)
company.dom+
company.dom##
.*\.company\.dom

and many, many more.

I am completely ignorant of regexs, and am bamboozled by the plethora of regex varieties. These "features" sure are making what should be a simple wildcard change incredibly difficult.

Aaron
0 Kudos
Reply
Aaron Sakovich
Super Advisor

‎04-12-2005 02:51 AM

‎04-12-2005 02:51 AM

Re: sshd2_config and wildcarding AllowHosts?

Oh, btw, I've also tried:

\i192.168.*

No joy there, either. Again, the only thing that worked was a FQDN, which is not a practical solution for me.

Regards,
Aaron
0 Kudos
Reply
Martin Vorlaender
Honored Contributor

‎04-12-2005 02:51 AM

‎04-12-2005 02:51 AM

Re: sshd2_config and wildcarding AllowHosts?

>>>
A few samples of some others I've tried that don't work:
...
.*\.company\.dom
<<<

That last one looks like the regexes I know: ".*" = any number of any character; "\" is the escape character. Hmmm... this should have worked.

I should admit at this point that my knowledge of this particular corner of SSH is academic.

An even more accurate man page to SSH regexes than the one cited is http://www.ssh.com/documents/32/sshregex.html (as TCP/IP Services SSH is based on SSH2 v2.4.1 from SSH Communication Security).

cu,
Martin
0 Kudos
Reply
Victor Semaska_3
Esteemed Contributor

‎04-12-2005 03:27 AM

‎04-12-2005 03:27 AM

Re: sshd2_config and wildcarding AllowHosts?

Aaron,

I'm a former VMS Manager that was dragged, kicking and screaming, into the UNIX world (Tru64) so I understand your frustration. I understand regexs a little so I might be able to help.

I don't have a VMS system w/ SSH so I can't test things. I did test things on one of my UNIX systems (Tru64 V5.1B).

According to the manpage (that's on-line help in UNIX) for sshd_config field AllowHosts 'Patterns are matched using the egrep syntax'.

That said your last example, '.*\.company\.dom' should have worked but didn't. I tried a few variations and your 1st example worked for me, '*.company.dom'. So it seems the documentation is wrong.

I know this doesn't help you much but at least it points you in the right direction. In the UNIX version there's a debug mode that I used to help track it down (-d 9). Does the VMS version have a debug mode?

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
0 Kudos
Reply
Aaron Sakovich
Super Advisor

‎04-12-2005 03:29 AM

‎04-12-2005 03:29 AM

Re: sshd2_config and wildcarding AllowHosts?

Yup, been there too -- I googled that one and got a hit on the "zsh_fileglob". (Who thinks up these names???)

I worried it might not have been the correct implementation, because "node.company.dom" worked, while, IIRC, "node\.company\.dom" did not. Ergo, I speculated that this particular doc rev and implementation of the regex was inappropriate for the version used on OpenVMS.

Does anyone out there have any empirical info that they could share? I appreciate your academic perspective, Martin, and it has helped to confirm that I was indeed on the right track. But someone must have tried this before and gotten it to work, right? I know I've failed at it!

Best,
Aaron
0 Kudos
Reply
Aaron Sakovich
Super Advisor

‎04-12-2005 04:00 AM

‎04-12-2005 04:00 AM

Re: sshd2_config and wildcarding AllowHosts?

Hi Vic,

Thanks for understanding! FWIW, I've "touched" a few U*X boxes, my first in the mid '80s (an Apollo Domain system!), and all the way up to Digital UNIX and even Linux. But, well, IMHO it's still a collection of kludges...

The idea about debug got me going. I checked out the TCPIP$System:TCPIP$SSH_Run.com file, and there's a logical that if set, puts the daemon into "-i -d 99". So I did it, kicked the daemon, and got a huge dump in the TCPIP$SSH_Home:TCPIP$SSH_Run.log file. It's parsing for regexs in there (lots of parsing, no meaningful output that I could grok), but it still fails with the following error:

Tue 12 10:42:48 WARNING: password authentication failed. Connection from woody.internal.company.dom denied. Authentication as user sakovich was attempted.
debug: Ssh2AuthCommonServer/AUTHS-COMMON.C:114: password authentication failed.

Might this be a bug in the VMS implementation?

Oh, I'm on my test workstation and am using the following style of regex right now:

localhost, .*\..*\.company\.dom

(In other words, I'm trying to allow any node from any child domain of company.dom.) I've tried a variety of other strings, too. It's nice to have a VMS workstation to test this stuff on!

Thanks for the debug idea! Still no joy, though.

Aaron
0 Kudos
Reply
Victor Semaska_3
Esteemed Contributor

‎04-12-2005 04:32 AM

‎04-12-2005 04:32 AM

Re: sshd2_config and wildcarding AllowHosts?

Aaron,

As I mentioned, using the egrep syntax didn't work for me. That's what you have listed:

.*\..*\.company\.dom

Did you try the other syntax of:

*.*.company.dom

May try small steps. You said * did work. Maybe next try *.dom to see if that works. If so, go to *.company.dom, etc.


Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
0 Kudos
Reply
Aaron Sakovich
Super Advisor

‎04-12-2005 04:45 AM

‎04-12-2005 04:45 AM

Re: sshd2_config and wildcarding AllowHosts?

Great idea. I just tried using "*.dom" and it failed, too.

For thoroughness' sake, I also tried ".*\.dom", which failed too.

*sigh*
0 Kudos
Reply
Victor Semaska_3
Esteemed Contributor

‎04-12-2005 04:53 AM

‎04-12-2005 04:53 AM

Re: sshd2_config and wildcarding AllowHosts?

Can you post the line in sshd_config exactly as is. Want to check the syntax.

Also, can you post the relavent portions of the debug output. On our UNIX systems, when it fails it's like this:

debug[518770]: Ssh2AuthCommonServer/auths-common.c:102: match: NULL (pattern: 'c*.company.dom', string: 'sxxx.company.dom')
debug[518770]: Ssh2AuthCommonServer/auths-common.c:544: 'sxxxx.company.dom[###.###.###.###] didn't match with 'c*.company.dom'.

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
0 Kudos
Reply
Aaron Sakovich
Super Advisor

‎04-12-2005 07:35 AM

‎04-12-2005 07:35 AM

Re: sshd2_config and wildcarding AllowHosts?

What I posted above *was* the exact output from the log. I even searched for the "pattern" string, but there wasn't a single instance of it in the log.

Here's a collection of the AllowHosts line from recent versions (Remember file versions? Bet you miss them!) of the sshd2_config. to show you some of the things I've tried:

AllowHosts localhost, .*\.com
AllowHosts localhost, *.com
AllowHosts localhost, .*\..*\.int\.sungard\.com
AllowHosts localhost, .*\.int\.sungard\.com
AllowHosts localhost, *.int.sungard.com


The host that I'm trying to connect from is woody.hsv.int.sungard.com.
0 Kudos
Reply
Victor Semaska_3
Esteemed Contributor

‎04-13-2005 01:29 AM

‎04-13-2005 01:29 AM

Re: sshd2_config and wildcarding AllowHosts?

Sorry Aaron but I've pretty much run out of ideas. If you can't get a search pattern as simply as *.com to work then there's some fundamental difference between our versions that I'm not aware of.

The only thing I can think of is maybe it's checking the IP address instead of the host name. If you're up to it try putting in the IP address of that host (###.###.###.###) to see if that works, then try the wildcards. Probably would look like:

###.###.*.*

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
0 Kudos
Reply
Aaron Sakovich
Super Advisor

‎04-13-2005 05:02 AM

‎04-13-2005 05:02 AM

Re: sshd2_config and wildcarding AllowHosts?

Thanks Vic, I appreciate your input.

I'm going to log a call with HP. Sounds like a bug to me.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.