pam_access: LOCAL matches IPv6 address by definition

Thorsten Kukuk kukuk at suse.de
Tue Apr 15 14:16:09 UTC 2008


On Wed, Apr 09, Petr Pisar wrote:

> Hello,
> 
> I'm very glad for IPv6 support in pam_access. However I met a problem
> that line
> 
> -:user:ALL EXCEPT LOCAL
> 
> allows logging via IPv6 protocol (PAM_RHOST is something like
> 2001:abcd::1).
> 
> According manual page the LOCAL keyword matches all tokens without '.'
> (dot) character. The motivation is clear: domain names and IPv4
> addresses contains dot, so local logins (from console or local X11
> display) can be matched. Accidently, "new" IP protocol has addresses
> without dots. So, rigid semantic and human interception don't align.
> 
> Thus, I ask: Should we change the dot rule or should we add remarks to
> documentation about it?

The problem is that the LOCAL keyword does not work in even more
cases.
Currently my suggestion would be, to change the code in the following
way: If PAM_RHOST is set, we are always remote and deny access, else
we are always local.
This still would allow remote connections in some circumstances,
but not more than before. And would solve the problems, where local
hostnames without domain are used.

But this change would be done only with Linux-PAM 1.1.

  Thorsten


-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)




More information about the Pam-list mailing list