FreeBSD 4.x

Paul-Andrew Joseph Miseiko teardrop at teardrop.ca
Sun Mar 24 15:25:12 EST 2002


	On FreeBSD 4.x with HAVE_LOGIN_CAP defined the OpenSSH daemon doesn't properly follow standards.

As stated in man 5 login.conf and the process followed by /usr/bin/login,
"The ttys.allow and ttys.deny entries contain a comma-separated list of
     tty devices (without the /dev/ prefix) that a user in a class may use to
     access the system, and/or a list of ttygroups (See getttyent(3) and
     ttys(5) for information on ttygroups)."

It appears that the OpenSSH Daemon (sshd) is sending the /dev/ to be verified along with the tty*.

Quick fix, either add /dev/ to your login.conf ttys.* entries or make the sshd cut of the leading /dev/.

Proposed idea,
"sscanf(s->tty, "/dev/%s", s->parsed_tty);"

I'm no fan of sscanf but I don't feel like pasting a while loop following be counter variables, etc, for parsing to a mailing list :)

The splice of code is found in session.c

#ifdef HAVE_LOGIN_CAP                                 
        if (!auth_ttyok(lc, s->tty)) {                
                (void)printf("Permission denied.\n"); 
                log(                                  
               "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
                    pw->pw_name, get_remote_name_or_ip(utmp_len,
                        options.verify_reverse_mapping), s->tty);
                exit(254);
        }
#endif /* HAVE_LOGIN_CAP */





More information about the openssh-unix-dev mailing list