i require a combination of allowusers/denyusers directives that will
effect the following:

user FOO is allowed to login to this server from remote server BAR _only_.
all other users may login to this server from any host.

the closest i've gotten has been something like this:

denyusers FOO@*.mydomain.com
allowusers FOO@BAR.mydomain.com *

{afaik, sshd_config does not support regexp, just * and ?}

/var/log/messages indicates that FOO cannot log in, because that
username is in the denyusers directive.  i have verified that hostname
BAR in lastlog and hostname BAR in sshd_config match.  the server in
question runs SLES 9 and OpenSSH_3.8p1

here are my stipulations:
shosts.equiv and solutions other than sshd_config aren't acceptable
for this task, sorry.

recompiling ssh isn't an option.

if the configuration that i desire is possible, please explain what
i'm doing wrong and how to effect it.  if it isn't possible, please
explain why.

thanks!

Hi destruktobot,

Sorry, what you want is not possible.

You can get the desired effect for user FOO with the line

AllowUsers FOO@BAR.mydomain.com

This both allows FOO to log in from that host and forbids FOO from
logging in from any other host.

The problem is that then there is no way to let everyone else log in
from anywhere.  Once you have any AllowUsers line, all other access is
blocked by default.  So what you really need is a line that means

AllowUsers anythingbut(FOO)

Unfortunately, as you have seen, the syntax allowed for these lines is
not flexible enough to express this meaning.  You are correct that
only the wildcard characters '?' and '*' are supported, and there is
no way to compose a sequence of characters that will match any string
but "FOO".

Similarly, it can't be done with DenyUsers.  As you have found, a
matching DenyUsers line will block access even if there is also a
matching AllowUsers line.  So you would need a line that means

DenyUsers FOO@anythingbut(BAR.mydomain.com)

But as in the AllowUsers case, there is no way to get the
"anythingbut" effect with only the '*' and '?' wildcard characters.


References

The manual page on sshd_config confirms that only the '*' and '?'
wildcard characters are supported.
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

An article by Vincent Danen on "Optimizing OpenSSH" on the linsec.ca
website says "Be aware when using DenyUsers and AllowUsers in
combination; the DenyUsers will always have precedence."
http://linsec.ca/syshardening/openssh.php

Similarly, an article by Chris Wong on HP-UX Secure Shell says "If a
user is restricted by any option, that user will not be granted
access."
http://newfdawg.com/SHP-SSHpart3.htm


I hope this is a satisfactory answer to your question.  If it's not
clear enough, please ask for a clarification.

Regards,

--efn

Thanks to EFN for the thorough answer.  I had hoped for an
undiscovered solution, but the lack of one is hardly the researcher's
fault - at least no doubts and "what ifs" linger.

This steps outside your planned constraint of using only the config
file but I thought it was worth a mention.

If you are prepared to set FOO a custom shell that he cannot change it could
test the value of SSH_CLIENT in the environment.  If the value is
satisfactory execute a proper shell, otherwise exit.