From owner-freebsd-security  Tue Jul 25  3:41:30 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ff.dsu.dp.ua (ff.dsu.dp.ua [194.44.184.254])
	by hub.freebsd.org (Postfix) with ESMTP id 9AA9137B6CC
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 03:41:20 -0700 (PDT)
	(envelope-from dmitry@digital.dp.ua)
Received: from localhost (dmitry@localhost)
	by ff.dsu.dp.ua (8.9.3/8.9.3) with ESMTP id NAA59247;
	Tue, 25 Jul 2000 13:41:15 +0300 (EEST)
	(envelope-from dmitry@digital.dp.ua)
Date: Tue, 25 Jul 2000 13:41:13 +0300 (EEST)
From: Dmitry Pryanishnikov <dmitry@digital.dp.ua>
X-Sender: dmitry@ff.dsu.dp.ua
To: Victor Ivanov <v0rbiz@icon-bg.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ssh2 bypasses host.allow in /etc/login.conf?
In-Reply-To: <004601bff546$9cfe71a0$03c507d4@icon1.icon-bg.net>
Message-ID: <Pine.BSF.4.21.0007251330520.58876-100000@ff.dsu.dp.ua>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Hello!

On Mon, 24 Jul 2000, Victor Ivanov wrote:
> login.conf is for login. It is no good if a program depend on another
> program's config file which is subject to change... (i think)


From man login.conf:

     login.conf contains various attributes and capabilities of login classes.
     A login class (an optional annotation against each record in the user ac-
     count database, /etc/master.passwd) determines session accounting, re-
     source limits and user environment settings.  It is used by various pro-
                                                              ^^^^^^^^^^^^^^
     grams in the system to set up a user's login environment and to enforce
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     policy, accounting and administrative restrictions.  It also provides the
     ^^^^^^

So this file is not only for login, but for any program which gives access
user to the system, e.g., ftpd.
  BTW, ssh2 uses part of login.conf entry to establish resource limits,
why don't use rest of specification?

> maybe ssh2 does not use login? like openssh? or it is enabled with some
> option?
> is there 'UseLogin' option in the ssh2 config file (or something like?)

 Haven't seen such an option both in sshd2_config and in sshd2's manpage.

 BTW, there are other ways to check login.conf restrictions besides
direct login execution (e.g., auth_hostok()).


Sincerely, Dmitry

Dnipropetrovsk State University,        E-mail:  dmitry@digital.dp.ua
Physical Faculty,                       WWW:      http://ff.dsu.dp.ua
Department of Experimental Physics      
Dnipropetrovsk, Ukraine                 FTP:  ftp://digital.dp.ua/DEC



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message