From owner-freebsd-hackers  Sat Dec  7  3:58:30 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3ACA537B401
	for <freebsd-hackers@FreeBSD.ORG>; Sat,  7 Dec 2002 03:58:29 -0800 (PST)
Received: from cell.sick.ru (cell.sick.ru [195.91.162.238])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2843843EB2
	for <freebsd-hackers@FreeBSD.ORG>; Sat,  7 Dec 2002 03:58:28 -0800 (PST)
	(envelope-from glebius@cell.sick.ru)
Received: from cell.sick.ru (glebius@localhost [127.0.0.1])
	by cell.sick.ru (8.12.6/8.12.6) with ESMTP id gB7BwOJg049097
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
	for <freebsd-hackers@FreeBSD.ORG>; Sat, 7 Dec 2002 14:58:25 +0300 (MSK)
	(envelope-from glebius@cell.sick.ru)
Received: (from glebius@localhost)
	by cell.sick.ru (8.12.6/8.12.6/Submit) id gB7BwN02049096
	for freebsd-hackers@FreeBSD.ORG; Sat, 7 Dec 2002 14:58:23 +0300 (MSK)
Date: Sat, 7 Dec 2002 14:58:23 +0300
From: Gleb Smirnoff <glebius@cell.sick.ru>
To: freebsd-hackers@FreeBSD.ORG
Subject: host addresses in login.access
Message-ID: <20021207115823.GB49000@cell.sick.ru>
Mail-Followup-To: Gleb Smirnoff <glebius@cell.sick.ru>,
	freebsd-hackers@FreeBSD.ORG
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hi.

Using login.access(5) for restricting users to
login from specific hosts, I've came across this 'bug'.

If I specify host address in login.access and it is
resolvable, it never matches. e.g. :

+:glebius:ALL:10.0.0.50

And sshd(8) will not let user glebius in from host 10.0.0.50.

I'm using system sshd with option "UseLogin yes",
to make login.access work. sshd(8) spawns login(1) with
-h parameter. As it is in session.c it passes hostname
to login(1), if hostname is available:

        /* we have to stash the hostname before we close our socket. */
        if (options.use_login)
                hostname = get_remote_name_or_ip(utmp_len,
                    options.verify_reverse_mapping);

login(1) itself never resolves hostname back to IP address. It
tries to match this way in login_access.c:

    if (tok[0] == '@') {                        /* netgroup */
        return (netgroup_match(tok + 1, string, (char *) 0));
    } else if (string_match(tok, string)) {     /* ALL or exact match */
        return (YES);
    } else if (tok[0] == '.') {                 /* domain: match last fields */
        if ((str_len = strlen(string)) > (tok_len = strlen(tok))
            && strcasecmp(tok, string + str_len - tok_len) == 0)
            return (YES);
    } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */
        if (strchr(string, '.') == 0)
            return (YES);
    } else if (tok[(tok_len = strlen(tok)) - 1] == '.'  /* network */
               && strncmp(tok, string, tok_len) == 0) {
        return (YES);
    }
    return (NO);

I suppose login should resolve it back to IP address and try it against
the token, too.

Is this a bug? Should I open a PR?

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message