From owner-freebsd-security Sun Jul 23 15:26:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 14D8737BBBC for ; Sun, 23 Jul 2000 15:26:55 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 8F2049EE01; Sun, 23 Jul 2000 15:26:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 8AEFE9B001; Sun, 23 Jul 2000 15:26:37 -0700 (PDT) Date: Sun, 23 Jul 2000 15:26:37 -0700 (PDT) From: Mike Hoskins To: Dmitry Pryanishnikov Cc: Paul Boehmer , freebsd-security@FreeBSD.ORG Subject: Re: ssh2 bypasses host.allow in /etc/login.conf? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 23 Jul 2000, Dmitry Pryanishnikov wrote: > Maybe I've missed something, but I mean NOT a file host.allow, but the > BSD-native login class restrictions written in /etc/login.conf, which > checked with auth_hostok() (or login_getclass()/login_getcapstr() as > in sshd.c from ssh1). Of course, make WITH_TCPWRAP=yes doesn't help! So... are these methods also in ssh2's .c file? Just curious... As Paul mentioned, not all version 1 features were carried over to version 2. Maybe this is just a case of getting bitten by this fact. Have you tried OpenSSH? A much better solution, IMCO. I can do some tests with OpenSSH if you want (rushing out the door ATM). I usually always use /etc/hosts.allow to control access anyhow, because a CGI (allowing me to add hosts to hosts.allow from an SSL webpage) I wrote points to it and I'm too lazy to change it. ;) -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message