netbsd-bugs: bin/12269: sshd supports two login.conf attributes that are not documented

Subject: bin/12269: sshd supports two login.conf attributes that are not documented
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jbernard@mines.edu>
List: netbsd-bugs
Date: 02/22/2001 13:48:17

>Number:         12269
>Category:       bin
>Synopsis:       sshd supports two login.conf attributes that are not documented
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 22 12:49:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Jim Bernard
>Release:        February 22, 2001
>Organization:
>Environment:
System: NetBSD knox 1.5R NetBSD 1.5R (KNOX-$Revision: 1.13 $) #0: Tue Feb 13 15:56:19 MST 2001 jbernard@knox:/fh/usr/tmp/compile/sys/arch/sparc/compile/KNOX sparc
Architecture: sparc
Machine: sparc
>Description:
	The sshd authentication code (crypto/dist/ssh/auth.c) calls
	login_getcapstr to check for attributes "host.deny" and
	"host.allow", which are not documented in login.conf(5).
	These are evidently not used by login, but I haven't checked
	other programs to see if they support them.  In any case, it
	would be nice to have them documented.  (host.deny is a list
	of hosts from which the class is denied access, and host.allow
	is a list of hosts from which the class is allowed access.)

	It might be useful to add support for these to login and other
	programs as well.

>How-To-Repeat:
	Read auth.c and login.conf(5).

>Fix:
	I'm not sure whether it's better to document these in login.conf(5)
	or sshd(8) (the details of the behavior are determined by code in
	sshd's auth.c and match.c).  But here's a patch for login.conf(5).

--- login.conf.5-dist	Tue Dec 19 07:57:38 2000
+++ login.conf.5	Thu Feb 22 13:41:01 2001
@@ -104,10 +104,29 @@
 .sp
 .It Sy filesize Ta size Ta "" Ta
 Maximum file size limit.
 .\"
 .sp
+.It Sy host.allow Ta string Ta "" Ta
+A comma-separated list of hosts (name or IP) from which a class is
+allowed access.  Access is instead denied from any hosts preceded
+by
+.Sq Li ! .
+The
+.Sy host.deny
+entry is checked before
+.Sy host.allow .
+(Currently used only by
+.Xr sshd 8 .)
+.\"
+.sp
+.It Sy host.deny Ta string Ta "" Ta
+A comma-separated list of hosts (name or IP) from which a class is
+denied access.  (Currently used only by
+.Xr sshd 8 .)
+.\"
+.sp
 .It Sy hushlogin Ta bool Ta Li false Ta
 Same as having a
 .Pa $HOME/.hushlogin
 file.
 See
>Release-Note:
>Audit-Trail:
>Unformatted: