(Allow|Deny)Users patch against 1.2.20 from Steve Kann <stevek@SteveK.COM>
----------------------------------------------------------------------
diff -ru ./servconf.c /opt/ssh/v1.2.20/src/servconf.c
--- ./servconf.c	Tue Apr 22 20:40:08 1997
+++ /opt/ssh/v1.2.20/src/servconf.c	Thu Apr 24 12:13:34 1997
@@ -94,6 +94,8 @@
   options->forced_passwd_change = -1;
   options->num_allow_hosts = 0;
   options->num_deny_hosts = 0;
+  options->num_allow_users = 0;
+  options->num_deny_users = 0;
   options->umask = -1;
   options->idle_timeout = -1;
 }
@@ -190,11 +192,11 @@
   sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
   sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
   sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts,
-  sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
-  sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sPidFile,
-  sForcedPasswd, sUmask, sSilentDeny, sIdleTimeout, sUseLogin,
-  sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTgtPassing,
-  sAllowTcpForwarding
+  sAllowUsers, sDenyUsers, sListenAddress, sPrintMotd, sIgnoreRhosts,
+  sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd,
+  sRandomSeedFile, sKeepAlives, sPidFile, sForcedPasswd, sUmask,
+  sSilentDeny, sIdleTimeout, sUseLogin, sKerberosAuthentication,
+  sKerberosOrLocalPasswd, sKerberosTgtPassing, sAllowTcpForwarding 
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -221,6 +223,8 @@
   { "uselogin", sUseLogin },
   { "allowhosts", sAllowHosts },
   { "denyhosts", sDenyHosts },
+  { "allowusers", sAllowUsers },
+  { "denyusers", sDenyUsers },
   { "listenaddress", sListenAddress },
   { "printmotd", sPrintMotd },
   { "ignorerhosts", sIgnoreRhosts },
@@ -630,6 +634,32 @@
 		  exit(1);
 		}
 	      options->deny_hosts[options->num_deny_hosts++] = xstrdup(cp);
+	    }
+	  break;
+
+	case sAllowUsers:
+	  while ((cp = strtok(NULL, WHITESPACE)))
+	    {
+	      if (options->num_allow_users >= MAX_ALLOW_USERS)
+		{
+		  fprintf(stderr, "%s line %d: too many allow users.\n",
+			  filename, linenum);
+		  exit(1);
+		}
+	      options->allow_users[options->num_allow_users++] = xstrdup(cp);
+	    }
+	  break;
+
+	case sDenyUsers:
+	  while ((cp = strtok(NULL, WHITESPACE)))
+	    {
+	      if (options->num_deny_users >= MAX_DENY_USERS)
+		{
+		  fprintf(stderr, "%s line %d: too many deny users.\n",
+			  filename, linenum);
+		  exit(1);
+		}
+	      options->deny_users[options->num_deny_users++] = xstrdup(cp);
 	    }
 	  break;
 
diff -ru ./servconf.h /opt/ssh/v1.2.20/src/servconf.h
--- ./servconf.h	Tue Apr 22 20:40:16 1997
+++ /opt/ssh/v1.2.20/src/servconf.h	Thu Apr 24 12:10:13 1997
@@ -46,6 +46,8 @@
 
 #define MAX_ALLOW_HOSTS		256 /* Max # hosts on allow list. */
 #define MAX_DENY_HOSTS		256 /* Max # hosts on deny list. */
+#define MAX_ALLOW_USERS		256 /* Max # users on allow list. */
+#define MAX_DENY_USERS		256 /* Max # users on deny list. */
 
 typedef struct
 {
@@ -90,6 +92,10 @@
   char *allow_hosts[MAX_ALLOW_HOSTS];
   unsigned int num_deny_hosts;
   char *deny_hosts[MAX_DENY_HOSTS];
+  unsigned int num_allow_users;
+  char *allow_users[MAX_ALLOW_USERS];
+  unsigned int num_deny_users;
+  char *deny_users[MAX_DENY_USERS];
 } ServerOptions;
 
 /* Initializes the server options to special values that indicate that they
diff -ru ./sshd.8.in /opt/ssh/v1.2.20/src/sshd.8.in
--- ./sshd.8.in	Tue Apr 22 20:40:07 1997
+++ /opt/ssh/v1.2.20/src/sshd.8.in	Thu Apr 24 12:39:39 1997
@@ -274,9 +274,24 @@
 can also be configured to use tcp_wrappers using the --with-libwrap
 compile-time configuration option.
 .TP
+.B AllowUsers
+This keyword can be followed by any number of user name patterns,
+separated by spaces.  If specified, login is allowed only as users whose
+name matches one of the patterns.  '*' and '?' can be used as wildcards
+in the patterns.  By default, logins as all users are allowed.  
+
+Note that the all other login authentication steps must still be
+sucessfully completed.  AllowUsers and DenyUsers are additional
+restrictions.
+.TP
 .B DenyHosts
 This keyword can be followed by any number of host name patterns,
 separated by spaces.  If specified, login is disallowed from the hosts
+whose name matches any of the patterns.
+.TP
+.B DenyUsers
+This keyword can be followed by any number of user name patterns,
+separated by spaces.  If specified, login is disallowed as users
 whose name matches any of the patterns.
 .TP
 .B FascistLogging
diff -ru ./sshd.c /opt/ssh/v1.2.20/src/sshd.c
--- ./sshd.c	Tue Apr 22 20:40:08 1997
+++ /opt/ssh/v1.2.20/src/sshd.c	Thu Apr 24 12:19:12 1997
@@ -1572,6 +1572,36 @@
       }
   }
 #endif /* CHECK_ETC_SHELLS */
+
+  /* here we check the AllowUser and DenyUser config options - SteveK */
+  /* Check whether logins are permitted for this user. */
+  if (options.num_allow_users > 0)
+    {
+      int i;
+      for (i = 0; i < options.num_allow_users; i++)
+      if (match_pattern(user, options.allow_users[i]))
+        break;
+      if (i >= options.num_allow_users)
+      {
+        log_msg("Connection for %.200s not allowed from %s\n",
+              user, get_canonical_hostname());
+        return 0;
+      }
+    }
+
+   /* Check whether logins are denied for this user. */
+   if (options.num_deny_users > 0)
+     {
+       int i;
+       for (i = 0; i < options.num_deny_users; i++)
+       if (match_pattern(user, options.deny_users[i]))
+       {
+         log_msg("Connection for %.200s denied from %s\n",
+               user, get_canonical_hostname());
+         return 0;
+       }
+     }
+ 
   return 1;
 }