OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ssh2 bypasses host.allow in /etc/login.conf?
From: Mike Hoskins (mikeadept.org)
Date: Sun Jul 23 2000 - 17:26:37 CDT

On Sun, 23 Jul 2000, Dmitry Pryanishnikov wrote:

> Maybe I've missed something, but I mean NOT a file host.allow, but the
> BSD-native login class restrictions written in /etc/login.conf, which
> checked with auth_hostok() (or login_getclass()/login_getcapstr() as
> in sshd.c from ssh1). Of course, make WITH_TCPWRAP=yes doesn't help!

So... are these methods also in ssh2's .c file? Just curious... As Paul
mentioned, not all version 1 features were carried over to version
2. Maybe this is just a case of getting bitten by this fact. Have you
tried OpenSSH? A much better solution, IMCO.

I can do some tests with OpenSSH if you want (rushing out the door
ATM). I usually always use /etc/hosts.allow to control access anyhow,
because a CGI (allowing me to add hosts to hosts.allow from an SSL
webpage) I wrote points to it and I'm too lazy to change it. ;)

-mrh

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message