Re: sshd2_config and wildcarding AllowHosts?

Aaron Sakovich · ‎04-11-2005

Is there any way to provide a wildcard expression for the AllowHosts field? I've got a site where they want to restrict access to their server to only hosts properly registered in our DNS. However, doing a simple "localhost, *.s.com" doesn't work. Looking around on the net, and I've found references to regex, egrep, and zsh_fileglob expressions, but haven't been able to get any of them to work. And I've tried a lot of them, until my eyes blurred...

The only wildcard I can get to work is "*". I'd like to be a little less general than that.

Has anyone gotten it to work with TCP/IP v5.4 ECO4? Tips or tricks welcome...

Aaron-who's-very-frustrated-with-U*X-lack-of-wildcards

Martin Vorlaender · ‎04-11-2005

Aaron,

according to The SSH Book (SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman; O'Reilly 2001; section 5.5.2.4) - to which the TCP/IP Services SSH manual refers the reader - the AllowHosts and DenyHosts values have the following syntax:

- Values may contain regular expressions (see e.g. http://h30097.www3.hp.com/docs/ssh/ssh32/MAN/MAN5/0001____.HTM ).

- Values may contain multiple strings separated by commas.

- Keywords may appear multiple times, and the results are cumulative.

- Hostnames or IP addresses may be used.

HTH,
Martin

Aaron Sakovich · ‎04-12-2005

Sorry, I should have let you know that I've already tried using that document, but still haven't gotten anything to work.

What does work: localhost, node.company.dom, *

A few samples of some others I've tried that don't work:

*.company.dom
*company.dom
$company.dom
company.dom$
company.dom(1)
company.dom+
company.dom##
.*\.company\.dom

and many, many more.

I am completely ignorant of regexs, and am bamboozled by the plethora of regex varieties. These "features" sure are making what should be a simple wildcard change incredibly difficult.

Aaron

Aaron Sakovich · ‎04-12-2005

Oh, btw, I've also tried:

\i192.168.*

No joy there, either. Again, the only thing that worked was a FQDN, which is not a practical solution for me.

Regards,
Aaron

Martin Vorlaender · ‎04-12-2005

>>>
A few samples of some others I've tried that don't work:
...
.*\.company\.dom
<<<

That last one looks like the regexes I know: ".*" = any number of any character; "\" is the escape character. Hmmm... this should have worked.

I should admit at this point that my knowledge of this particular corner of SSH is academic.

An even more accurate man page to SSH regexes than the one cited is http://www.ssh.com/documents/32/sshregex.html (as TCP/IP Services SSH is based on SSH2 v2.4.1 from SSH Communication Security).

cu,
Martin

Victor Semaska_3 · ‎04-12-2005

Aaron,

I'm a former VMS Manager that was dragged, kicking and screaming, into the UNIX world (Tru64) so I understand your frustration. I understand regexs a little so I might be able to help.

I don't have a VMS system w/ SSH so I can't test things. I did test things on one of my UNIX systems (Tru64 V5.1B).

According to the manpage (that's on-line help in UNIX) for sshd_config field AllowHosts 'Patterns are matched using the egrep syntax'.

That said your last example, '.*\.company\.dom' should have worked but didn't. I tried a few variations and your 1st example worked for me, '*.company.dom'. So it seems the documentation is wrong.

I know this doesn't help you much but at least it points you in the right direction. In the UNIX version there's a debug mode that I used to help track it down (-d 9). Does the VMS version have a debug mode?

Vic

There are 10 kinds of people, one that understands binary and one that doesn't.

Aaron Sakovich · ‎04-12-2005

Yup, been there too -- I googled that one and got a hit on the "zsh_fileglob". (Who thinks up these names???)

I worried it might not have been the correct implementation, because "node.company.dom" worked, while, IIRC, "node\.company\.dom" did not. Ergo, I speculated that this particular doc rev and implementation of the regex was inappropriate for the version used on OpenVMS.

Does anyone out there have any empirical info that they could share? I appreciate your academic perspective, Martin, and it has helped to confirm that I was indeed on the right track. But someone must have tried this before and gotten it to work, right? I know I've failed at it!

Best,
Aaron

Aaron Sakovich · ‎04-12-2005

Hi Vic,

Thanks for understanding! FWIW, I've "touched" a few U*X boxes, my first in the mid '80s (an Apollo Domain system!), and all the way up to Digital UNIX and even Linux. But, well, IMHO it's still a collection of kludges...

The idea about debug got me going. I checked out the TCPIP$System:TCPIP$SSH_Run.com file, and there's a logical that if set, puts the daemon into "-i -d 99". So I did it, kicked the daemon, and got a huge dump in the TCPIP$SSH_Home:TCPIP$SSH_Run.log file. It's parsing for regexs in there (lots of parsing, no meaningful output that I could grok), but it still fails with the following error:

Tue 12 10:42:48 WARNING: password authentication failed. Connection from woody.internal.company.dom denied. Authentication as user sakovich was attempted.
debug: Ssh2AuthCommonServer/AUTHS-COMMON.C:114: password authentication failed.

Might this be a bug in the VMS implementation?

Oh, I'm on my test workstation and am using the following style of regex right now:

localhost, .*\..*\.company\.dom

(In other words, I'm trying to allow any node from any child domain of company.dom.) I've tried a variety of other strings, too. It's nice to have a VMS workstation to test this stuff on!

Thanks for the debug idea! Still no joy, though.

Aaron

Victor Semaska_3 · ‎04-12-2005

Aaron,

As I mentioned, using the egrep syntax didn't work for me. That's what you have listed:

.*\..*\.company\.dom

Did you try the other syntax of:

*.*.company.dom

May try small steps. You said * did work. Maybe next try *.dom to see if that works. If so, go to *.company.dom, etc.

Vic

There are 10 kinds of people, one that understands binary and one that doesn't.

Aaron Sakovich · ‎04-12-2005

Great idea. I just tried using "*.dom" and it failed, too.

For thoroughness' sake, I also tried ".*\.dom", which failed too.

*sigh*

Victor Semaska_3 · ‎04-12-2005

Can you post the line in sshd_config exactly as is. Want to check the syntax.

Also, can you post the relavent portions of the debug output. On our UNIX systems, when it fails it's like this:

debug[518770]: Ssh2AuthCommonServer/auths-common.c:102: match: NULL (pattern: 'c*.company.dom', string: 'sxxx.company.dom')
debug[518770]: Ssh2AuthCommonServer/auths-common.c:544: 'sxxxx.company.dom[###.###.###.###] didn't match with 'c*.company.dom'.

Vic

There are 10 kinds of people, one that understands binary and one that doesn't.

Aaron Sakovich · ‎04-12-2005

What I posted above *was* the exact output from the log. I even searched for the "pattern" string, but there wasn't a single instance of it in the log.

Here's a collection of the AllowHosts line from recent versions (Remember file versions? Bet you miss them!) of the sshd2_config. to show you some of the things I've tried:

AllowHosts localhost, .*\.com
AllowHosts localhost, *.com
AllowHosts localhost, .*\..*\.int\.sungard\.com
AllowHosts localhost, .*\.int\.sungard\.com
AllowHosts localhost, *.int.sungard.com

The host that I'm trying to connect from is woody.hsv.int.sungard.com.

Victor Semaska_3 · ‎04-13-2005

Sorry Aaron but I've pretty much run out of ideas. If you can't get a search pattern as simply as *.com to work then there's some fundamental difference between our versions that I'm not aware of.

The only thing I can think of is maybe it's checking the IP address instead of the host name. If you're up to it try putting in the IP address of that host (###.###.###.###) to see if that works, then try the wildcards. Probably would look like:

###.###.*.*

Vic

There are 10 kinds of people, one that understands binary and one that doesn't.

Aaron Sakovich · ‎04-13-2005

Thanks Vic, I appreciate your input.

I'm going to log a call with HP. Sounds like a bug to me.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: sshd2_config and wildcarding AllowHosts?

sshd2_config and wildcarding AllowHosts?