Bug 25263

Summary: openssh and /etc/login.access does not work with IP addr
Product: Base System Reporter: Arjan.deVet <Arjan.deVet>
Component: binAssignee: Dag-Erling Smørgrav <des>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.2-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Arjan.deVet 2001-02-21 21:30:01 UTC 
OpenSSH does not always work correctly with the /etc/login.access file
when IP addresses and networks are used in that file. Host/domain names
work OK.

See also conf/5062.

Fix: Check the IP address too with login_access(3):
How-To-Repeat: 
Add something like this to /etc/login.access

	+:wheel:192.168.1.

and try to login from a 192.168.1.* host with a usercode present in the
wheel group.
Comment 1 Kris Kennaway freebsd_committer freebsd_triage 2001-02-24 07:46:52 UTC 
Responsible Changed
From-To: freebsd-bugs->green

green is the openssh maintainer
Comment 2 Brian Feldman freebsd_committer freebsd_triage 2001-03-10 14:09:07 UTC 
State Changed
From-To: open->feedback

This is a huge policy change and really would need to be discussed 
on (possibly) -security a lot before it could be made.  The problem 
is that, as you know, login.access acts much like a firewall list. 
That also means that if the host is passed down the list it can take 
a totally different route (really, stop at a completely different 
time) than if you pass the IP address.  This would need to be solved 
generally.
Comment 3 Arjan.deVet 2001-03-11 16:49:08 UTC 
green@FreeBSD.org wrote:

>This is a huge policy change and really would need to be discussed
>on (possibly) -security a lot before it could be made.  The problem
>is that, as you know, login.access acts much like a firewall list.
>That also means that if the host is passed down the list it can take
>a totally different route (really, stop at a completely different
>time) than if you pass the IP address.  This would need to be solved
>generally.

Yep, I agree and my patch is indeed wrong. What we need I think is a

	login_access(user, from_tty, from_domain, from_ip)

to implement the things the login_access(5) manual page promises. The
current 'from' argument can only contain either the FQDN or the
IP-address of the remote system, and that's not enough.

Arjan

-- 
Arjan de Vet, Eindhoven, The Netherlands              <Arjan.deVet@adv.iae.nl>
URL: http://www.iae.nl/users/devet/           for PGP key: finger devet@iae.nl
Comment 4 Brian Feldman freebsd_committer freebsd_triage 2003-07-13 05:15:13 UTC 
Responsible Changed
From-To: green->des

ssh over to DES
Comment 5 Dag-Erling Smørgrav 2003-07-14 11:40:16 UTC 
Does this still occur with more recent versions of FreeBSD / OpenSSH?

DES
--=20
Dag-Erling Sm=F8rgrav - des@des.no
Comment 6 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2003-08-19 11:51:54 UTC 
State Changed
From-To: feedback->closed

Feedback timeout.