From owner-freebsd-security  Sun Jul 23  5:49: 9 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ff.dsu.dp.ua (ff.dsu.dp.ua [194.44.184.254])
	by hub.freebsd.org (Postfix) with ESMTP id 1B68937BAB6
	for <freebsd-security@FreeBSD.ORG>; Sun, 23 Jul 2000 05:48:54 -0700 (PDT)
	(envelope-from dmitry@digital.dp.ua)
Received: from localhost (dmitry@localhost)
	by ff.dsu.dp.ua (8.9.3/8.9.3) with ESMTP id PAA11598
	for <freebsd-security@FreeBSD.ORG>; Sun, 23 Jul 2000 15:49:00 +0300 (EEST)
	(envelope-from dmitry@digital.dp.ua)
Date: Sun, 23 Jul 2000 15:48:58 +0300 (EEST)
From: Dmitry Pryanishnikov <dmitry@digital.dp.ua>
X-Sender: dmitry@ff.dsu.dp.ua
To: freebsd-security@FreeBSD.ORG
Subject: ssh2 bypasses host.allow in /etc/login.conf?
Message-ID: <Pine.BSF.4.21.0007231516570.10780-100000@ff.dsu.dp.ua>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Hello!

 I've just discovered that ssh2 on FreeBSD bypasses host.allow check in
/etc/login.conf while ssh1 does not! That is, I've added a user with a class
guest and added a login class guest into /etc/login.conf:

guest:\
        :host.allow=192.168.18.*:\
        :tc=default:

So I want to deny such user's login from any machine except one of our local
networks. I've checked telnet,ftp,rlogin,rsh,ssh1 - all those utilities
honoured login restriction. While ssh2 does not.
 Is it known problem? Does the solution exist?


Sincerely, Dmitry

Dnipropetrovsk State University,        E-mail:  dmitry@digital.dp.ua
Physical Faculty,                       WWW:      http://ff.dsu.dp.ua
Department of Experimental Physics      
Dnipropetrovsk, Ukraine                 FTP:  ftp://digital.dp.ua/DEC



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message