Bug 294

Summary: tcp wrapper access changed between 2.9.9p2 and 3.3p1
Product: Portable OpenSSH Reporter: Kevin Taylor <ktaylor>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED WORKSFORME    
Severity: major    
Priority: P2    
Version: -current   
Hardware: MIPS   
OS: IRIX   

Description Kevin Taylor 2002-06-26 00:07:18 AEST 
We would like to be able to have tcp wrappers allow ssh access based on ip
address groups, rather than names only. This was working as expected for 2.9.9p2
and seems to only allow access by hostname for 3.3p1.

I started looking at how we have tcpd compiled, but I don't think that's the
problem because this was working fine with the older openssh, but not the new one.
Comment 1 Kevin Taylor 2002-06-26 00:53:15 AEST 
This is what's reported in the syslog from openssh-2.9.9p2 - with an ip address
range listed in hosts.allow

Jun 25 10:50:08 6D:server sshd[30123536]: Failed keyboard-interactive for
ktaylor from xxx.xxx.xxx.xxx port 40333 ssh2
Jun 25 10:50:13 6D:server sshd[30123536]: Accepted password for ktaylor from
xxx.xxx.xxx.xxx port 40333 ssh2

With openssh-3.3p1, I don't connect from the client, because I'm being refused
from the server:

Jun 25 10:52:02 4D:server sshd[30412458]: refused connect from client.com
Comment 2 Markus Friedl 2002-06-28 20:51:20 AEST 
that's all we changed:

        packet_set_connection(sock_in, sock_out);
 
        remote_port = get_remote_port();
        remote_ip = get_remote_ipaddr();
 
-       /* Check whether logins are denied from this host. */
 #ifdef LIBWRAP
-       /* XXX LIBWRAP noes not know about IPv6 */
+       /* Check whether logins are denied from this host. */
        {
                struct request_info req;
 
-               request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in,
NULL);
+               request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
                fromhost(&req);
 
                if (!hosts_access(&req)) {
+                       debug("Connection refused by tcp wrapper");
                        refuse(&req);
-                       close(sock_in);
-                       close(sock_out);
+                       /* NOTREACHED */
+                       fatal("libwrap refuse returns");
                }
-/*XXX IPv6 verbose("Connection from %.500s port %d", eval_client(&req),
remote_port); */
        }
 #endif /* LIBWRAP */
+
        /* Log the connection. */
        verbose("Connection from %.500s port %d", remote_ip, remote_port);
 
:
Comment 3 Kevin Taylor 2002-06-28 20:56:43 AEST 
hmm...that's weird. I wonder why the different behavior suddenly.
Comment 4 Kevin Taylor 2002-06-28 21:43:48 AEST 
ok. I think I may be on to a way to get it working. If I compile it on IRIX with
the IRIX native compilers (n32 mode), everything is working as it probably should.

However, when using gcc 2.95.3 on IRIX, it had the tcp wrapper problem. 

Why this is an issue at all, I don't know....and way beyond my area of expertise
to figure out...and probably not worth the effort.

Thanks.
Comment 5 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED