Date: Wed, 21 Feb 2001 22:21:48 +0100 (CET) From: Arjan de Vet <Arjan.deVet@adv.iae.nl> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/25263: OpenSSH and /etc/login.access do not work with IP addresses Message-ID: <20010221212148.935143E15@adv.devet.org>
next in thread | raw e-mail | index | archive | help
>Number: 25263 >Category: bin >Synopsis: openssh and /etc/login.access does not work with IP addr >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 21 13:30:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Arjan de Vet >Release: FreeBSD 4.2-STABLE i386 >Organization: >Environment: FreeBSD adv.devet.org 4.2-STABLE FreeBSD 4.2-STABLE #2: Sun Feb 18 21:54:27 CET 2001 root@adv.devet.org:/home/obj/usr/src/sys/ADV i386 >Description: OpenSSH does not always work correctly with the /etc/login.access file when IP addresses and networks are used in that file. Host/domain names work OK. See also conf/5062. >How-To-Repeat: Add something like this to /etc/login.access +:wheel:192.168.1. and try to login from a 192.168.1.* host with a usercode present in the wheel group. >Fix: Check the IP address too with login_access(3): Index: auth1.c =================================================================== RCS file: /home/freebsd/CVS/src/crypto/openssh/auth1.c,v retrieving revision 1.3.2.4 diff -u -r1.3.2.4 auth1.c --- auth1.c 2001/01/12 04:25:55 1.3.2.4 +++ auth1.c 2001/02/21 20:59:04 @@ -458,7 +458,8 @@ } #endif /* HAVE_LOGIN_CAP */ #ifdef LOGIN_ACCESS - if (pw != NULL && !login_access(pw->pw_name, from_host)) { + if (pw != NULL && !login_access(pw->pw_name, from_host) + && !login_access(pw->pw_name, from_ip)) { log("Denied connection for %.200s from %.200s [%.200s].", pw->pw_name, from_host, from_ip); packet_disconnect("Sorry, you are not allowed to connect."); Index: auth2.c =================================================================== RCS file: /home/freebsd/CVS/src/crypto/openssh/auth2.c,v retrieving revision 1.2.2.4 diff -u -r1.2.2.4 auth2.c --- auth2.c 2001/01/12 04:25:55 1.2.2.4 +++ auth2.c 2001/02/21 20:59:35 @@ -248,7 +248,8 @@ #endif /* HAVE_LOGIN_CAP */ #ifdef LOGIN_ACCESS if (authctxt->pw != NULL && - !login_access(authctxt->pw->pw_name, from_host)) { + !login_access(authctxt->pw->pw_name, from_host) && + !login_access(authctxt->pw->pw_name, from_ip)) { log("Denied connection for %.200s from %.200s [%.200s].", authctxt->pw->pw_name, from_host, from_ip); packet_disconnect("Sorry, you are not allowed to connect."); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010221212148.935143E15>