Subject: bin/12269: sshd supports two login.conf attributes that are not documented
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jbernard@mines.edu>
List: netbsd-bugs
Date: 02/22/2001 13:48:17
>Number: 12269
>Category: bin
>Synopsis: sshd supports two login.conf attributes that are not documented
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: doc-bug
>Submitter-Id: net
>Arrival-Date: Thu Feb 22 12:49:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Jim Bernard
>Release: February 22, 2001
>Organization:
>Environment:
System: NetBSD knox 1.5R NetBSD 1.5R (KNOX-$Revision: 1.13 $) #0: Tue Feb 13 15:56:19 MST 2001 jbernard@knox:/fh/usr/tmp/compile/sys/arch/sparc/compile/KNOX sparc
Architecture: sparc
Machine: sparc
>Description:
The sshd authentication code (crypto/dist/ssh/auth.c) calls
login_getcapstr to check for attributes "host.deny" and
"host.allow", which are not documented in login.conf(5).
These are evidently not used by login, but I haven't checked
other programs to see if they support them. In any case, it
would be nice to have them documented. (host.deny is a list
of hosts from which the class is denied access, and host.allow
is a list of hosts from which the class is allowed access.)
It might be useful to add support for these to login and other
programs as well.
>How-To-Repeat:
Read auth.c and login.conf(5).
>Fix:
I'm not sure whether it's better to document these in login.conf(5)
or sshd(8) (the details of the behavior are determined by code in
sshd's auth.c and match.c). But here's a patch for login.conf(5).
--- login.conf.5-dist Tue Dec 19 07:57:38 2000
+++ login.conf.5 Thu Feb 22 13:41:01 2001
@@ -104,10 +104,29 @@
.sp
.It Sy filesize Ta size Ta "" Ta
Maximum file size limit.
.\"
.sp
+.It Sy host.allow Ta string Ta "" Ta
+A comma-separated list of hosts (name or IP) from which a class is
+allowed access. Access is instead denied from any hosts preceded
+by
+.Sq Li ! .
+The
+.Sy host.deny
+entry is checked before
+.Sy host.allow .
+(Currently used only by
+.Xr sshd 8 .)
+.\"
+.sp
+.It Sy host.deny Ta string Ta "" Ta
+A comma-separated list of hosts (name or IP) from which a class is
+denied access. (Currently used only by
+.Xr sshd 8 .)
+.\"
+.sp
.It Sy hushlogin Ta bool Ta Li false Ta
Same as having a
.Pa $HOME/.hushlogin
file.
See
>Release-Note:
>Audit-Trail:
>Unformatted: