FreeBSD 4.x
Paul-Andrew Joseph Miseiko
teardrop at teardrop.ca
Sun Mar 24 15:25:12 EST 2002
On FreeBSD 4.x with HAVE_LOGIN_CAP defined the OpenSSH daemon doesn't properly follow standards.
As stated in man 5 login.conf and the process followed by /usr/bin/login,
"The ttys.allow and ttys.deny entries contain a comma-separated list of
tty devices (without the /dev/ prefix) that a user in a class may use to
access the system, and/or a list of ttygroups (See getttyent(3) and
ttys(5) for information on ttygroups)."
It appears that the OpenSSH Daemon (sshd) is sending the /dev/ to be verified along with the tty*.
Quick fix, either add /dev/ to your login.conf ttys.* entries or make the sshd cut of the leading /dev/.
Proposed idea,
"sscanf(s->tty, "/dev/%s", s->parsed_tty);"
I'm no fan of sscanf but I don't feel like pasting a while loop following be counter variables, etc, for parsing to a mailing list :)
The splice of code is found in session.c
#ifdef HAVE_LOGIN_CAP
if (!auth_ttyok(lc, s->tty)) {
(void)printf("Permission denied.\n");
log(
"LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
pw->pw_name, get_remote_name_or_ip(utmp_len,
options.verify_reverse_mapping), s->tty);
exit(254);
}
#endif /* HAVE_LOGIN_CAP */
More information about the openssh-unix-dev
mailing list