From owner-freebsd-security@FreeBSD.ORG  Wed Feb 18 17:02:30 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C5E9016A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 18 Feb 2004 17:02:30 -0800 (PST)
Received: from lvlworld.com (dsl-38.226.240.220.dsl.comindico.com.au
	[220.240.226.38])
	by mx1.FreeBSD.org (Postfix) with SMTP id ADF6F43D1F
	for <freebsd-security@freebsd.org>;
	Wed, 18 Feb 2004 17:02:29 -0800 (PST)
	(envelope-from tigger@onemoremonkey.com)
Received: (qmail 40888 invoked from network); 19 Feb 2004 01:03:28 -0000
Received: from unknown (HELO lvlworld.com) (192.168.1.120)
  by eeeor.goo with SMTP; 19 Feb 2004 01:03:28 -0000
Date: Thu, 19 Feb 2004 12:04:50 +1100
From: Tig <tigger@onemoremonkey.com>
To: freebsd-security@freebsd.org
Message-Id: <20040219120450.1854b521@piglet.goo>
X-Mailer: Sylpheed version 0.9.9claws (GTK+ 1.2.10; i386-portbld-freebsd5.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Bogosity: No, tests=bogofilter, spamicity=0.508953, version=0.16.4
Subject: secuirty bug with /etc/login.access
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2004 01:02:30 -0000

/etc/login.access does not work 100% over ssh.

I have the following line in login.access

-:ray:ALL EXCEPT LOCAL

Which I believe means the user 'ray' can not login from anywhere unless
it is a local login.

So, I tested it over ssh from a remote box

tigger@piglet:~% ssh ray@sonic.cbnmediaX.com.au
Password:
Password:
Password:
ray@sonic.cbnmediaX.com.au's password: 
Last login: Sat Feb 14 12:29:45 2004 from dsl-38.226.240.
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights
reserved.

FreeBSD 5.2-RELEASE-p2 (SONIC) #1: Sun Feb  8 01:18:08 EST 2004


(I'm 100% sure I typed the password correct each time)
As you can see, I'm denied access each time until the 'ray@sonic...'
option is presented, then I'm allowed in.

I personally think this is a security hole but I'm happy to admit it
could be a configuration issue at my end. Please let me know if its a
problem at my end.

Thanks for your time.

-Tig