Bug ID 583508: The same user can be configured in separate rules in the same ssh proxy profile

Last Modified: Feb 26, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4

Opened: Mar 28, 2016
Severity: 3-Major

Symptoms

The same user can be configured in separate rules in the same ssh proxy profile. This will result in applying the most restrictive action for that user. e.g if rule1 has an allow action for shell for "user1" and rule2 has a disallow action for shell for "user1", the user "user1" will be disallowed from opening a shell.

Impact

Current behavior is to use the rule that provides the most restrictive action for that channel type.

Conditions

Configure a ssh proxy profile and provide multiple rules with the same username

Workaround

The current recommendation is to not use multiple rules with the same username.

Fix Information

None

Behavior Change