Date: Wed, 21 Feb 2001 22:21:48 +0100 (CET) From: Arjan de Vet <Arjan.deVet@adv.iae.nl> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/25263: OpenSSH and /etc/login.access do not work with IP addresses Message-ID: <20010221212148.935143E15@adv.devet.org>
index | next in thread | raw e-mail
>Number: 25263
>Category: bin
>Synopsis: openssh and /etc/login.access does not work with IP addr
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Feb 21 13:30:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Arjan de Vet
>Release: FreeBSD 4.2-STABLE i386
>Organization:
>Environment:
FreeBSD adv.devet.org 4.2-STABLE FreeBSD 4.2-STABLE #2: Sun Feb 18
21:54:27 CET 2001 root@adv.devet.org:/home/obj/usr/src/sys/ADV i386
>Description:
OpenSSH does not always work correctly with the /etc/login.access file
when IP addresses and networks are used in that file. Host/domain names
work OK.
See also conf/5062.
>How-To-Repeat:
Add something like this to /etc/login.access
+:wheel:192.168.1.
and try to login from a 192.168.1.* host with a usercode present in the
wheel group.
>Fix:
Check the IP address too with login_access(3):
Index: auth1.c
===================================================================
RCS file: /home/freebsd/CVS/src/crypto/openssh/auth1.c,v
retrieving revision 1.3.2.4
diff -u -r1.3.2.4 auth1.c
--- auth1.c 2001/01/12 04:25:55 1.3.2.4
+++ auth1.c 2001/02/21 20:59:04
@@ -458,7 +458,8 @@
}
#endif /* HAVE_LOGIN_CAP */
#ifdef LOGIN_ACCESS
- if (pw != NULL && !login_access(pw->pw_name, from_host)) {
+ if (pw != NULL && !login_access(pw->pw_name, from_host)
+ && !login_access(pw->pw_name, from_ip)) {
log("Denied connection for %.200s from %.200s [%.200s].",
pw->pw_name, from_host, from_ip);
packet_disconnect("Sorry, you are not allowed to connect.");
Index: auth2.c
===================================================================
RCS file: /home/freebsd/CVS/src/crypto/openssh/auth2.c,v
retrieving revision 1.2.2.4
diff -u -r1.2.2.4 auth2.c
--- auth2.c 2001/01/12 04:25:55 1.2.2.4
+++ auth2.c 2001/02/21 20:59:35
@@ -248,7 +248,8 @@
#endif /* HAVE_LOGIN_CAP */
#ifdef LOGIN_ACCESS
if (authctxt->pw != NULL &&
- !login_access(authctxt->pw->pw_name, from_host)) {
+ !login_access(authctxt->pw->pw_name, from_host) &&
+ !login_access(authctxt->pw->pw_name, from_ip)) {
log("Denied connection for %.200s from %.200s [%.200s].",
authctxt->pw->pw_name, from_host, from_ip);
packet_disconnect("Sorry, you are not allowed to connect.");
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010221212148.935143E15>