From owner-freebsd-security  Sun Jul 23  6:36:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailer.seidata.com (mailer.seidata.com [208.10.211.10])
	by hub.freebsd.org (Postfix) with ESMTP id 8285D37B5AE
	for <freebsd-security@FreeBSD.ORG>; Sun, 23 Jul 2000 06:36:18 -0700 (PDT)
	(envelope-from pboehmer@seidata.com)
Received: from shell.seidata.com (shell.seidata.com [208.10.211.6] (may be forged))
	by mailer.seidata.com (8.9.3/Pro-8.9.3) with ESMTP id JAA49972;
	Sun, 23 Jul 2000 09:35:47 -0400 (EDT)
Date: Sun, 23 Jul 2000 09:35:41 -0400 (EDT)
From: Paul Boehmer <pboehmer@seidata.com>
To: Dmitry Pryanishnikov <dmitry@digital.dp.ua>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ssh2 bypasses host.allow in /etc/login.conf?
In-Reply-To: <Pine.BSF.4.21.0007231516570.10780-100000@ff.dsu.dp.ua>
Message-ID: <Pine.BSF.4.10.10007230929380.3565-100000@shell.seidata.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


You need to compile ssh2 with tcpwrapper support in order to user the
host.allow file, it is cleary stated in the documentation.

On a side note, I do miss the ssh1 options AllowUser and AllowGroup that
did not make it to the ssh2 implmentation, that pretty much why I have
stuck to ssh1 and openssh on most of my boxes.

Paul Boehmer
pboehmer@seidata.com

On Sun, 23 Jul 2000, Dmitry Pryanishnikov wrote:

> 
> Hello!
> 
>  I've just discovered that ssh2 on FreeBSD bypasses host.allow check in
> /etc/login.conf while ssh1 does not! That is, I've added a user with a class
> guest and added a login class guest into /etc/login.conf:
> 
> guest:\
>         :host.allow=192.168.18.*:\
>         :tc=default:
> 
> So I want to deny such user's login from any machine except one of our local
> networks. I've checked telnet,ftp,rlogin,rsh,ssh1 - all those utilities
> honoured login restriction. While ssh2 does not.
>  Is it known problem? Does the solution exist?
> 
> 
> Sincerely, Dmitry
> 
> Dnipropetrovsk State University,        E-mail:  dmitry@digital.dp.ua
> Physical Faculty,                       WWW:      http://ff.dsu.dp.ua
> Department of Experimental Physics      
> Dnipropetrovsk, Ukraine                 FTP:  ftp://digital.dp.ua/DEC
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message