From owner-freebsd-bugs Wed Feb 21 13:30: 8 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BEF1537B65D for ; Wed, 21 Feb 2001 13:30:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1LLU1I19177; Wed, 21 Feb 2001 13:30:01 -0800 (PST) (envelope-from gnats) Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4]) by hub.freebsd.org (Postfix) with ESMTP id 88A3C37B401 for ; Wed, 21 Feb 2001 13:22:14 -0800 (PST) (envelope-from Arjan.deVet@adv.iae.nl) Received: (from uucp@localhost) by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id WAA12474 for FreeBSD-gnats-submit@freebsd.org; Wed, 21 Feb 2001 22:22:12 +0100 (MET) Received: by adv.devet.org (Postfix, from userid 100) id 935143E15; Wed, 21 Feb 2001 22:21:48 +0100 (CET) Message-Id: <20010221212148.935143E15@adv.devet.org> Date: Wed, 21 Feb 2001 22:21:48 +0100 (CET) From: Arjan de Vet Reply-To: Arjan de Vet To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/25263: OpenSSH and /etc/login.access do not work with IP addresses Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 25263 >Category: bin >Synopsis: openssh and /etc/login.access does not work with IP addr >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 21 13:30:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Arjan de Vet >Release: FreeBSD 4.2-STABLE i386 >Organization: >Environment: FreeBSD adv.devet.org 4.2-STABLE FreeBSD 4.2-STABLE #2: Sun Feb 18 21:54:27 CET 2001 root@adv.devet.org:/home/obj/usr/src/sys/ADV i386 >Description: OpenSSH does not always work correctly with the /etc/login.access file when IP addresses and networks are used in that file. Host/domain names work OK. See also conf/5062. >How-To-Repeat: Add something like this to /etc/login.access +:wheel:192.168.1. and try to login from a 192.168.1.* host with a usercode present in the wheel group. >Fix: Check the IP address too with login_access(3): Index: auth1.c =================================================================== RCS file: /home/freebsd/CVS/src/crypto/openssh/auth1.c,v retrieving revision 1.3.2.4 diff -u -r1.3.2.4 auth1.c --- auth1.c 2001/01/12 04:25:55 1.3.2.4 +++ auth1.c 2001/02/21 20:59:04 @@ -458,7 +458,8 @@ } #endif /* HAVE_LOGIN_CAP */ #ifdef LOGIN_ACCESS - if (pw != NULL && !login_access(pw->pw_name, from_host)) { + if (pw != NULL && !login_access(pw->pw_name, from_host) + && !login_access(pw->pw_name, from_ip)) { log("Denied connection for %.200s from %.200s [%.200s].", pw->pw_name, from_host, from_ip); packet_disconnect("Sorry, you are not allowed to connect."); Index: auth2.c =================================================================== RCS file: /home/freebsd/CVS/src/crypto/openssh/auth2.c,v retrieving revision 1.2.2.4 diff -u -r1.2.2.4 auth2.c --- auth2.c 2001/01/12 04:25:55 1.2.2.4 +++ auth2.c 2001/02/21 20:59:35 @@ -248,7 +248,8 @@ #endif /* HAVE_LOGIN_CAP */ #ifdef LOGIN_ACCESS if (authctxt->pw != NULL && - !login_access(authctxt->pw->pw_name, from_host)) { + !login_access(authctxt->pw->pw_name, from_host) && + !login_access(authctxt->pw->pw_name, from_ip)) { log("Denied connection for %.200s from %.200s [%.200s].", authctxt->pw->pw_name, from_host, from_ip); packet_disconnect("Sorry, you are not allowed to connect."); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message