Date: Sat, 7 Dec 2002 14:58:23 +0300 From: Gleb Smirnoff <glebius@cell.sick.ru> To: freebsd-hackers@FreeBSD.ORG Subject: host addresses in login.access Message-ID: <20021207115823.GB49000@cell.sick.ru>
next in thread | raw e-mail | index | archive | help
Hi.
Using login.access(5) for restricting users to
login from specific hosts, I've came across this 'bug'.
If I specify host address in login.access and it is
resolvable, it never matches. e.g. :
+:glebius:ALL:10.0.0.50
And sshd(8) will not let user glebius in from host 10.0.0.50.
I'm using system sshd with option "UseLogin yes",
to make login.access work. sshd(8) spawns login(1) with
-h parameter. As it is in session.c it passes hostname
to login(1), if hostname is available:
/* we have to stash the hostname before we close our socket. */
if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len,
options.verify_reverse_mapping);
login(1) itself never resolves hostname back to IP address. It
tries to match this way in login_access.c:
if (tok[0] == '@') { /* netgroup */
return (netgroup_match(tok + 1, string, (char *) 0));
} else if (string_match(tok, string)) { /* ALL or exact match */
return (YES);
} else if (tok[0] == '.') { /* domain: match last fields */
if ((str_len = strlen(string)) > (tok_len = strlen(tok))
&& strcasecmp(tok, string + str_len - tok_len) == 0)
return (YES);
} else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */
if (strchr(string, '.') == 0)
return (YES);
} else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */
&& strncmp(tok, string, tok_len) == 0) {
return (YES);
}
return (NO);
I suppose login should resolve it back to IP address and try it against
the token, too.
Is this a bug? Should I open a PR?
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021207115823.GB49000>