Problem with tcp_wrappers

Krzysztof Oledzki olemx at ans.pl
Wed Mar 28 20:54:08 EST 2001


Hello,

I have just found little bug in OpenSSH's tcp_wrappers handling.
In file sshd.c you can find:
                if (!hosts_access(&req)) {
                        close(sock_in);
                        close(sock_out);
                        refuse(&req);
                }
If username was not requierd for authorization (for example
you are refusing all connection from specific host) refuse will
return "sshd: refused connect from root at some.host.name".
This happend becouse user name is checked by eval_client()
from refuse() when the connection is allready closed by the:
                        close(sock_in);
                        close(sock_out);

Hopefully username and hostname informations are cached so it is easy
to fix it - it is enough to add:
                        eval_client(&req)
before:
                        close(sock_in);
                        close(sock_out);

And now, when sshd.c call refuse(&req) username is known so a proper
user name will be send to system logs.

Best regards,

                                Krzysztof Oledzki





More information about the openssh-unix-dev mailing list