From Arjan.deVet@adv.iae.nl  Wed Feb 21 13:22:15 2001
Return-Path: <Arjan.deVet@adv.iae.nl>
Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4])
	by hub.freebsd.org (Postfix) with ESMTP id 88A3C37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Feb 2001 13:22:14 -0800 (PST)
	(envelope-from Arjan.deVet@adv.iae.nl)
Received: (from uucp@localhost)
	by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id WAA12474
	for FreeBSD-gnats-submit@freebsd.org; Wed, 21 Feb 2001 22:22:12 +0100 (MET)
Received: by adv.devet.org (Postfix, from userid 100)
	id 935143E15; Wed, 21 Feb 2001 22:21:48 +0100 (CET)
Message-Id: <20010221212148.935143E15@adv.devet.org>
Date: Wed, 21 Feb 2001 22:21:48 +0100 (CET)
From: Arjan de Vet <Arjan.deVet@adv.iae.nl>
Reply-To: Arjan de Vet <Arjan.deVet@adv.iae.nl>
To: FreeBSD-gnats-submit@freebsd.org
Subject: OpenSSH and /etc/login.access do not work with IP addresses
X-Send-Pr-Version: 3.2

>Number:         25263
>Category:       bin
>Synopsis:       openssh and /etc/login.access does not work with IP addr
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 21 13:30:01 PST 2001
>Closed-Date:    Tue Aug 19 03:51:55 PDT 2003
>Last-Modified:  Tue Aug 19 03:51:55 PDT 2003
>Originator:     Arjan de Vet
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
>Environment:

FreeBSD adv.devet.org 4.2-STABLE FreeBSD 4.2-STABLE #2: Sun Feb 18
21:54:27 CET 2001 root@adv.devet.org:/home/obj/usr/src/sys/ADV i386

>Description:

OpenSSH does not always work correctly with the /etc/login.access file
when IP addresses and networks are used in that file. Host/domain names
work OK.

See also conf/5062.

>How-To-Repeat:

Add something like this to /etc/login.access

	+:wheel:192.168.1.

and try to login from a 192.168.1.* host with a usercode present in the
wheel group.

>Fix:

Check the IP address too with login_access(3):

Index: auth1.c
===================================================================
RCS file: /home/freebsd/CVS/src/crypto/openssh/auth1.c,v
retrieving revision 1.3.2.4
diff -u -r1.3.2.4 auth1.c
--- auth1.c	2001/01/12 04:25:55	1.3.2.4
+++ auth1.c	2001/02/21 20:59:04
@@ -458,7 +458,8 @@
 		}
 #endif  /* HAVE_LOGIN_CAP */
 #ifdef LOGIN_ACCESS
-		if (pw != NULL && !login_access(pw->pw_name, from_host)) {
+		if (pw != NULL && !login_access(pw->pw_name, from_host)
+		    && !login_access(pw->pw_name, from_ip)) {
 		  log("Denied connection for %.200s from %.200s [%.200s].",
 		      pw->pw_name, from_host, from_ip);
 		  packet_disconnect("Sorry, you are not allowed to connect.");
Index: auth2.c
===================================================================
RCS file: /home/freebsd/CVS/src/crypto/openssh/auth2.c,v
retrieving revision 1.2.2.4
diff -u -r1.2.2.4 auth2.c
--- auth2.c	2001/01/12 04:25:55	1.2.2.4
+++ auth2.c	2001/02/21 20:59:35
@@ -248,7 +248,8 @@
 #endif  /* HAVE_LOGIN_CAP */
 #ifdef LOGIN_ACCESS
 	if (authctxt->pw != NULL &&
-	    !login_access(authctxt->pw->pw_name, from_host)) {
+	    !login_access(authctxt->pw->pw_name, from_host) &&
+	    !login_access(authctxt->pw->pw_name, from_ip)) {
 		log("Denied connection for %.200s from %.200s [%.200s].",
 		    authctxt->pw->pw_name, from_host, from_ip);
 		packet_disconnect("Sorry, you are not allowed to connect.");

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: kris 
Responsible-Changed-When: Fri Feb 23 23:46:52 PST 2001 
Responsible-Changed-Why:  
green is the openssh maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25263 
State-Changed-From-To: open->feedback 
State-Changed-By: green 
State-Changed-When: Sat Mar 10 06:09:07 PST 2001 
State-Changed-Why:  
This is a huge policy change and really would need to be discussed 
on (possibly) -security a lot before it could be made.  The problem 
is that, as you know, login.access acts much like a firewall list. 
That also means that if the host is passed down the list it can take 
a totally different route (really, stop at a completely different 
time) than if you pass the IP address.  This would need to be solved 
generally. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=25263 

From: Arjan.deVet@adv.iae.nl (Arjan de Vet)
To: green@FreeBSD.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/25263: openssh and /etc/login.access does not work with IP addr
Date: Sun, 11 Mar 2001 17:49:08 +0100

 green@FreeBSD.org wrote:
 
 >This is a huge policy change and really would need to be discussed
 >on (possibly) -security a lot before it could be made.  The problem
 >is that, as you know, login.access acts much like a firewall list.
 >That also means that if the host is passed down the list it can take
 >a totally different route (really, stop at a completely different
 >time) than if you pass the IP address.  This would need to be solved
 >generally.
 
 Yep, I agree and my patch is indeed wrong. What we need I think is a
 
 	login_access(user, from_tty, from_domain, from_ip)
 
 to implement the things the login_access(5) manual page promises. The
 current 'from' argument can only contain either the FQDN or the
 IP-address of the remote system, and that's not enough.
 
 Arjan
 
 -- 
 Arjan de Vet, Eindhoven, The Netherlands              <Arjan.deVet@adv.iae.nl>
 URL: http://www.iae.nl/users/devet/           for PGP key: finger devet@iae.nl
Responsible-Changed-From-To: green->des 
Responsible-Changed-By: green 
Responsible-Changed-When: Sat Jul 12 21:15:13 PDT 2003 
Responsible-Changed-Why:  
ssh over to DES 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25263 

From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=)
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/25263
Date: Mon, 14 Jul 2003 12:40:16 +0200

 Does this still occur with more recent versions of FreeBSD / OpenSSH?
 
 DES
 --=20
 Dag-Erling Sm=F8rgrav - des@des.no
State-Changed-From-To: feedback->closed 
State-Changed-By: des 
State-Changed-When: Tue Aug 19 03:51:54 PDT 2003 
State-Changed-Why:  
Feedback timeout. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25263 
>Unformatted:
