The file login.access(5) can be used to restrict access
for users coming from certain remote hosts, or on certain
local terminals. For example, we have some users who are
allowed to log in from virtual terminals only. However,
it is tedious and error-prone to list all of the terminal
devices in the file. The entry has to look like this:
+:foo bar:ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5 ttyv6 ttyv7
+:foo bar:ttyv8 ttyv9 ttyva ttyvb ttyvc ttyvd ttyve ttyvf
Th patch presented in this PR allows to use patterns like
those used by the bourne shell (using wildcards "*", "?"
and "["). The above entry is now much easier:
Similarly, "ttyd?" can be used to restrict all of the
serial dial-in lines.
The patch is quite simple. Basically I just replaced the
strcasecmp(3) function with fnmatch(3). Normally, the
special wildcard characters ("*", "?", "[") don't appear
in terminal device names, and they're also forbidden in
host names, so there shouldn't be any regression cases.
The login.access(5) file is used at three different places
in the FreeBSD source tree: in src/usr.bin/login, in
src/lib/libpam/modules/pam_login_access, and in src/cryp-
to/heimdal/appl/login. The latter is third-party software,
so I'm not sure if it's appropriate to patch it in the
FreeBSD source tree. However, for consistency, I patched
it in the same way and include the patch below for your
The patch set also includes updates to the manual pages
which describe the feature, and also a clarification that
all matches are performed in a case-insensitive way.
(The latter is even true without my patch, but that
behaviour was undocumented.)
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped