Date: Wed, 30 May 2001 01:45:56 -0700 (PDT) From: Tony Fleisher <takhus@takhus.mind.net> To: Arjan.deVet@adv.iae.nl Cc: green@freebsd.org, freebsd-security@freebsd.org Subject: Re: bin/25263 and conf/5062 : /etc/login.access does not work with IP addr Message-ID: <Pine.BSF.4.21.0105300124431.10303-100000@takhus.dyn.mind.net>
next in thread | raw e-mail | index | archive | help
Arjan.deVet@adv.iae.nl wrote: > > green@FreeBSD.org wrote: > > >This is a huge policy change and really would need to be discussed > >on (possibly) -security a lot before it could be made. The problem > >is that, as you know, login.access acts much like a firewall list. > >That also means that if the host is passed down the list it can take > >a totally different route (really, stop at a completely different > >time) than if you pass the IP address. This would need to be solved > >generally. > > Yep, I agree and my patch is indeed wrong. What we need I think is a > > login_access(user, from_tty, from_domain, from_ip) > > to implement the things the login_access(5) manual page promises. The > current 'from' argument can only contain either the FQDN or the > IP-address of the remote system, and that's not enough. > > Arjan I came across PR 25263 as I was looking into PR 5062, which is closely related (the real isssue here is that login.access(5) was not really implemented to meet the definition in the manpage), as this is more an issue of login.access than an openssh issue. I agree with that the login_access() needs to be passed both an IP address and a hostname (the alternative is to rewrite the definition of what this functionality is supposed to provide; it does not appear that it has ever actually provided the functionality described in the manpage) in order to perform the checks that it claims to perform. The fix for telnetd(8) to implement login.access according to the manpage is more difficult in that it spawns login(1), which only takes one paramater (via the -h switch) for "hostname" to check against. (It passes a hostname unless it cannot find one, in which case it passes the IP address. Whichever gets passed to login is what is used to match against entries in /etc/login.access) It seems that the lack of conformity to the manpage description should be documented in a BUGS section of login.access(5). Regards, Tony. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105300124431.10303-100000>