-/* $OpenBSD: auth.c,v 1.161 2024/05/17 00:30:23 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
ci = server_get_connection_info(ssh, 1, options.use_dns);
ci->user = user;
+ ci->user_invalid = getpwnam(user) == NULL;
parse_server_match_config(&options, &includes, ci);
log_change_level(options.log_level);
log_verbose_reset();
-/* $OpenBSD: servconf.c,v 1.416 2024/09/15 01:11:26 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.417 2024/09/15 01:18:26 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
if (ci == NULL)
debug3("checking syntax for 'Match %s'", full_line);
else {
- debug3("checking match for '%s' user %s host %s addr %s "
+ debug3("checking match for '%s' user %s%s host %s addr %s "
"laddr %s lport %d", full_line,
ci->user ? ci->user : "(null)",
+ ci->user_invalid ? " (invalid)" : "",
ci->host ? ci->host : "(null)",
ci->address ? ci->address : "(null)",
ci->laddress ? ci->laddress : "(null)", ci->lport);
argv_consume(acp); /* consume remaining args */
return 1;
}
+ /* Criterion "invalid-user" also has no argument */
+ if (strcasecmp(attrib, "invalid-user") == 0) {
+ if (ci == NULL)
+ continue;
+ if (ci->user_invalid == 0)
+ result = 0;
+ else
+ debug("matched invalid-user at line %d", line);
+ continue;
+ }
/* All other criteria require an argument */
if ((arg = argv_next(acp, avp)) == NULL ||
*arg == '\0' || *arg == '#') {
" specification %s\n", p+6, p);
return -1;
}
+ } else if (strcmp(p, "invalid-user") == 0) {
+ ci->user_invalid = 1;
} else {
fprintf(stderr, "Invalid test mode specification %s\n",
p);
-/* $OpenBSD: servconf.h,v 1.167 2024/09/15 01:11:26 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.168 2024/09/15 01:18:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
/* Information about the incoming connection as used by Match */
struct connection_info {
const char *user;
+ int user_invalid;
const char *host; /* possibly resolved hostname */
const char *address; /* remote address */
const char *laddress; /* local address */
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.372 2024/09/15 01:11:26 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.373 2024/09/15 01:18:26 djm Exp $
.Dd $Mdocdate: September 15 2024 $
.Dt SSHD_CONFIG 5
.Os
.Pp
The arguments to
.Cm Match
-are one or more criteria-pattern pairs or the single token
-.Cm All
-which matches all criteria.
+are one or more criteria-pattern pairs or one of the single token criteria:
+.Cm All ,
+which matches all criteria, or
+.Cm Invalid-User ,
+which matches when the requested user-name does not match any known account.
The available criteria are
.Cm User ,
.Cm Group ,