pam_access.so not recognizing host name in access.conf
Tomas Mraz
tmraz at redhat.com
Fri Feb 3 13:52:25 UTC 2017
On Fri, 2017-01-27 at 14:09 +0100, Josef Moellers wrote:
> On 26.01.2017 16:40, Josef Moellers wrote:
> > Hi,
> > The following specification in access.conf does not work as
> > expected:
> > -:username:ALL EXCEPT localhost
> > The manual page access.conf.5 claims that the third field may
> > contain
> > host names, but the code only checks for numerical IP addresses by
> > calling inet_pton().
> > Is this desired behavior or am I missing something.
> > I'm willing to write a patch.
>
> I suspect that "tok" and "string" need to be swapped in the second
> half
> of network_netmask_match():
No, this is not the case, the code is correct in what it is intended to
do. There is simply missing the matching for case where the application
calling the PAM module sets PAM_RHOST to an IP address (or an alias
name) and you want to use localhost in access.conf.
I am not saying that support for this cannot be added but it is another
matching code to add, you cannot simply hijack network_netmask_match()
for that purpose.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
More information about the Pam-list
mailing list