pam_access: LOCAL matches IPv6 address by definition
Petr Pisar
petr.pisar at atlas.cz
Wed Apr 9 21:19:16 UTC 2008
Hello,
I'm very glad for IPv6 support in pam_access. However I met a problem
that line
-:user:ALL EXCEPT LOCAL
allows logging via IPv6 protocol (PAM_RHOST is something like
2001:abcd::1).
According manual page the LOCAL keyword matches all tokens without '.'
(dot) character. The motivation is clear: domain names and IPv4
addresses contains dot, so local logins (from console or local X11
display) can be matched. Accidently, "new" IP protocol has addresses
without dots. So, rigid semantic and human interception don't align.
Thus, I ask: Should we change the dot rule or should we add remarks to
documentation about it?
-- Petr
More information about the Pam-list
mailing list