diff -r -U4 openssh-4.5p1/auth.c openssh-4.5p1+byte/auth.c --- openssh-4.5p1/auth.c 2006-10-27 16:10:16.000000000 +0100 +++ openssh-4.5p1+byte/auth.c 2007-02-04 14:44:48.000000000 +0000 @@ -209,10 +209,10 @@ } /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) - if (ga_match(options.deny_groups, - options.num_deny_groups)) { + if (ga_match_with_hostip(options.deny_groups, + options.num_deny_groups, hostname, ipaddr)) { ga_free(); logit("User %.100s from %.100s not allowed " "because a group is listed in DenyGroups", pw->pw_name, hostname); @@ -222,10 +222,10 @@ * Return false if AllowGroups isn't empty and one of user's groups * isn't listed there */ if (options.num_allow_groups > 0) - if (!ga_match(options.allow_groups, - options.num_allow_groups)) { + if (!ga_match_with_hostip(options.allow_groups, + options.num_allow_groups, hostname, ipaddr)) { ga_free(); logit("User %.100s from %.100s not allowed " "because none of user's groups are listed " "in AllowGroups", pw->pw_name, hostname); diff -r -U4 openssh-4.5p1/groupaccess.c openssh-4.5p1+byte/groupaccess.c --- openssh-4.5p1/groupaccess.c 2006-08-05 03:39:40.000000000 +0100 +++ openssh-4.5p1+byte/groupaccess.c 2007-02-04 14:44:31.000000000 +0000 @@ -87,8 +87,24 @@ return 0; } /* + * Return 1 if one of user's groups is contained in groups, and host/ipaddr matches. + * Return 0 otherwise. Use match_user() for string/host/ipaddr comparison. + */ +int +ga_match_with_hostip(char * const *groups, int n, const char *host, const char *ipaddr) +{ + int i, j; + + for (i = 0; i < ngroups; i++) + for (j = 0; j < n; j++) + if (match_user(groups_byname[i], host, ipaddr, groups[j])) + return 1; + return 0; +} + +/* * Free memory allocated for group access list. */ void ga_free(void) diff -r -U4 openssh-4.5p1/groupaccess.h openssh-4.5p1+byte/groupaccess.h --- openssh-4.5p1/groupaccess.h 2006-08-05 03:39:40.000000000 +0100 +++ openssh-4.5p1+byte/groupaccess.h 2007-02-04 14:44:58.000000000 +0000 @@ -28,7 +28,8 @@ #define GROUPACCESS_H int ga_init(const char *, gid_t); int ga_match(char * const *, int); +int ga_match_with_hostip(char * const *, int, const char *, const char *); void ga_free(void); #endif diff -r -U4 openssh-4.5p1/sshd_config.0 openssh-4.5p1+byte/sshd_config.0 --- openssh-4.5p1/sshd_config.0 2006-11-07 13:07:28.000000000 +0000 +++ openssh-4.5p1+byte/sshd_config.0 2007-02-04 14:27:54.000000000 +0000 @@ -38,12 +38,14 @@ This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group - ID is not recognized. By default, login is allowed for all - groups. The allow/deny directives are processed in the following - order: DenyUsers, AllowUsers, DenyGroups, and finally - AllowGroups. + ID is not recognized. If the pattern takes the form GROUP@HOST + then GROUP and HOST are separately checked, restricting logins to + particular groups from particular hosts. By default, login is + allowed for all groups. The allow/deny directives are processed + in the following order: DenyUsers, AllowUsers, DenyGroups, and + finally AllowGroups. See PATTERNS in ssh_config(5) for more information on patterns. AllowTcpForwarding @@ -134,11 +136,14 @@ This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recog- - nized. By default, login is allowed for all groups. The al- - low/deny directives are processed in the following order: - DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. + nized. By default, login is allowed for all groups. If the + pattern takes the form GROUP@HOST then GROUP and HOST are separa- + tely checked, restricting logins to particular groups from parti- + cular hosts. The allow/deny directives are processed in the fol- + lowing order: DenyUsers, AllowUsers, DenyGroups, and finally + AllowGroups. See PATTERNS in ssh_config(5) for more information on patterns. DenyUsers diff -r -U4 openssh-4.5p1/sshd_config.5 openssh-4.5p1+byte/sshd_config.5 --- openssh-4.5p1/sshd_config.5 2006-08-30 02:06:34.000000000 +0100 +++ openssh-4.5p1+byte/sshd_config.5 2007-02-04 14:27:04.000000000 +0000 @@ -103,8 +103,11 @@ If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. +If the pattern takes the form GROUP@HOST then GROUP and HOST +are separately checked, restricting logins to particular +groups from particular hosts. The allow/deny directives are processed in the following order: .Cm DenyUsers , .Cm AllowUsers , .Cm DenyGroups , @@ -249,8 +252,11 @@ Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. +If the pattern takes the form GROUP@HOST then GROUP and HOST +are separately checked, restricting logins to particular +groups from particular hosts. The allow/deny directives are processed in the following order: .Cm DenyUsers , .Cm AllowUsers , .Cm DenyGroups ,