From owner-freebsd-security Wed May 30 1:46: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from ego.mind.net (ego.mind.net [206.99.66.9]) by hub.freebsd.org (Postfix) with ESMTP id A931A37B424; Wed, 30 May 2001 01:45:57 -0700 (PDT) (envelope-from takhus@takhus.mind.net) Received: from takhus.dyn.mind.net (AFN-Dyn-2084622070.pc.ashlandfiber.net [208.46.220.70]) by ego.mind.net (8.9.3/8.9.3) with ESMTP id BAA23636; Wed, 30 May 2001 01:45:57 -0700 Received: from localhost (fleisher@localhost) by takhus.dyn.mind.net (8.11.3/8.11.3) with ESMTP id f4U8juY12649; Wed, 30 May 2001 01:45:56 -0700 (PDT) (envelope-from takhus@takhus.mind.net) X-Authentication-Warning: takhus.dyn.mind.net: fleisher owned process doing -bs Date: Wed, 30 May 2001 01:45:56 -0700 (PDT) From: Tony Fleisher X-Sender: fleisher@takhus.dyn.mind.net To: Arjan.deVet@adv.iae.nl Cc: green@freebsd.org, freebsd-security@freebsd.org Subject: Re: bin/25263 and conf/5062 : /etc/login.access does not work with IP addr Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Arjan.deVet@adv.iae.nl wrote: > > green@FreeBSD.org wrote: > > >This is a huge policy change and really would need to be discussed > >on (possibly) -security a lot before it could be made. The problem > >is that, as you know, login.access acts much like a firewall list. > >That also means that if the host is passed down the list it can take > >a totally different route (really, stop at a completely different > >time) than if you pass the IP address. This would need to be solved > >generally. > > Yep, I agree and my patch is indeed wrong. What we need I think is a > > login_access(user, from_tty, from_domain, from_ip) > > to implement the things the login_access(5) manual page promises. The > current 'from' argument can only contain either the FQDN or the > IP-address of the remote system, and that's not enough. > > Arjan I came across PR 25263 as I was looking into PR 5062, which is closely related (the real isssue here is that login.access(5) was not really implemented to meet the definition in the manpage), as this is more an issue of login.access than an openssh issue. I agree with that the login_access() needs to be passed both an IP address and a hostname (the alternative is to rewrite the definition of what this functionality is supposed to provide; it does not appear that it has ever actually provided the functionality described in the manpage) in order to perform the checks that it claims to perform. The fix for telnetd(8) to implement login.access according to the manpage is more difficult in that it spawns login(1), which only takes one paramater (via the -h switch) for "hostname" to check against. (It passes a hostname unless it cannot find one, in which case it passes the IP address. Whichever gets passed to login is what is used to match against entries in /etc/login.access) It seems that the lack of conformity to the manpage description should be documented in a BUGS section of login.access(5). Regards, Tony. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message