FreeBSD 4.x

Paul-Andrew Joseph Miseiko teardrop at teardrop.ca
Sun Mar 24 16:00:00 EST 2002


It would appear that the added functional HAVE_LOGIN_CAP came from a ports patch.

Therefor I guess I better email the ports maintainer instead :).

On Sat, 23 Mar 2002 23:25:12 -0500, Paul-Andrew Joseph Miseiko wrote:

>	On FreeBSD 4.x with HAVE_LOGIN_CAP defined the OpenSSH daemon doesn't properly follow standards.
>
>As stated in man 5 login.conf and the process followed by /usr/bin/login,
>"The ttys.allow and ttys.deny entries contain a comma-separated list of
>     tty devices (without the /dev/ prefix) that a user in a class may use to
>     access the system, and/or a list of ttygroups (See getttyent(3) and
>     ttys(5) for information on ttygroups)."
>
>It appears that the OpenSSH Daemon (sshd) is sending the /dev/ to be verified along with the tty*.
>
>Quick fix, either add /dev/ to your login.conf ttys.* entries or make the sshd cut of the leading /dev/.
>
>Proposed idea,
>"sscanf(s->tty, "/dev/%s", s->parsed_tty);"
>
>I'm no fan of sscanf but I don't feel like pasting a while loop following be counter variables, etc, for parsing to a mailing list :)
>
>The splice of code is found in session.c
>
>#ifdef HAVE_LOGIN_CAP                                 
>        if (!auth_ttyok(lc, s->tty)) {                
>                (void)printf("Permission denied.\n"); 
>                log(                                  
>               "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
>                    pw->pw_name, get_remote_name_or_ip(utmp_len,
>                        options.verify_reverse_mapping), s->tty);
>                exit(254);
>        }
>#endif /* HAVE_LOGIN_CAP */
>
>






More information about the openssh-unix-dev mailing list