Bug 982345

Summary:

hosts.allow manual has wrong syntax for ipv6 net/prefixlen

Product:

[Fedora] Fedora

Reporter:

John Heidemann <johnh>

Component:

tcp_wrappers

Assignee:

Petr Lautrbach <plautrba>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

medium

Docs Contact:

Priority:

unspecified

Version:

CC:

johnh, plautrba

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2014-05-20 05:53:33 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
correct manual page	none

Description John Heidemann 2013-07-08 18:36:16 UTC

Description of problem:

hosts.allow(5) says 
  An expression of the form `[n:n:n:n:n:n:n:n/m]\' is interpreted as a
  `[net/prefixlen]\' pair.
but the syntax that works is
  [n:n:n:n:n:n:n:n]/m
with the ] before the /

(The [n/m] syntax is SILENTLY IGNORED.)

Version-Release number of selected component (if applicable):
tcp_wrappers-libs-7.6-73.fc19.x86_64

but the problem also exists under Fedora 18 (and maybe earlier).
(The man page is correct in REHL 6.4)

How reproducible:
Every time.

Steps to Reproduce:
1. put sshd: [2001::/16] in /etc/hosts.allow
2. ssh to your box from something with a 2001: IPv6 address
3. be sad when it fails to let you in
4. change to sshd: [2001::]/16
5. rejoice because you and the 50 other IPv6 users can now get in

Actual results:
hosts.allow blocks access if you follow the manual.

Expected results:
following the manual should work.

Additional info:
Patch to the manual page is attached.

Comment 1 John Heidemann 2013-07-08 18:36:49 UTC

Created attachment 770610 [details]
correct manual page

Comment 2 Petr Lautrbach 2013-07-09 15:43:10 UTC

I can't reproduce this, both expressions work for me:

# echo '' > /etc/hosts.allow
# ssh 2620:52:0:2202:221:9bff:fe36:7a22
ssh_exchange_identification: Connection closed by remote host

# echo 'sshd: [2620::]/16' > /etc/hosts.allow
# ssh 2620:52:0:2202:221:9bff:fe36:7a22
IPv6 addr/mask: 2620::/16
Last login: Tue Jul  9 17:33:39 2013 from rawhide-devel.virt
# logout
Connection to 2620:52:0:2202:221:9bff:fe36:7a22 closed.

# echo 'sshd: [2620::/16]' > /etc/hosts.allow
# ssh 2620:52:0:2202:221:9bff:fe36:7a22
IPv6 addr/mask: 2620::/16
Last login: Tue Jul  9 17:36:01 2013 from rawhide-devel.virt
# logout
Connection to 2620:52:0:2202:221:9bff:fe36:7a22 closed.

# rpm -q tcp_wrappers
tcp_wrappers-7.6-73.fc19.x86_64

Comment 3 John Heidemann 2013-07-10 03:48:02 UTC

Hmmm... it Still Doesn't Work For Me.
But a correction to my bug report:
I can reproduce the failure consistently with F18 on both client and server, not F19:
tcp_wrappers-7.6-70.fc18.x86_64

It looks like your reproduction was done all on one box.
My test case is between two different boxes.
Is it possible you're getting some kind of short-circuit to localhost6?

Specific test case on the server (at 2001:4:5:6::7) is:
# works with next line uncommented
sshd: [2001:1:2:3::]/64
# fails if above line is commented and next line is left in
sshd: [2001:1:2:3::/64]

and login attempts from 2001:1:2:3::4 as
ssh 2001:4:5:6::7 date

(not the actual addresses)

Maybe both are supported in F19?  (Fix between -70 and 73?)

Comment 4 Petr Lautrbach 2013-07-10 06:49:18 UTC

You're right, there's a change in the parser between F18 and F19. But, the hosts_access (5) man page on F18 says:

# zgrep -A 6 'An expression of the form `\[n:n:n' /usr/share/man/man5/hosts_access.5.gz
An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
`[net]/prefixlen\' pair. An IPv6 host address is matched if
`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
address. For example, the [net]/prefixlen pattern
`[3ffe:505:2:1::]/64\' matches every address in the range
`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
.IP \(bu


# rpm -qf /usr/share/man/man5/hosts_access.5.gz 
tcp_wrappers-libs-7.6-70.fc18.x86_64


This is correct and it works and expected. Is it possible that you have some local changes? Try

# rpm -V tcp_wrappers-libs

Comment 5 John Heidemann 2013-07-10 14:36:48 UTC

Wow, this is crazy.  You say the parser is changing and now supports both.  Apparently the man page, too, has changed.

On a current F18 box:
f18> zcat /usr/share/man/man5/hosts_access.5.gz |grep 'n:n'
An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
f18> rpm -qf /usr/share/man/man5/hosts_access.5.gz
tcp_wrappers-libs-7.6-70.fc18.x86_64


On a F19 box:
f19> zcat /usr/share/man/man5/hosts_access.5.gz |grep n:n
An expression of the form `[n:n:n:n:n:n:n:n/m]\' is interpreted as a
f19> rpm -qf /usr/share/man/man5/hosts_access.5.gz 
tcp_wrappers-libs-7.6-73.fc19.x86_64
tcp_wrappers-libs-7.6-73.fc19.i686

rpm -V tcp_wrappers-libs produces no output on both boxes

IMHO the man page should track what works in both cases
(that is [n:n:n:n:n:n:n:n/m])
but one could also argue we should just track upstream.

Comment 6 John Heidemann 2014-05-20 05:53:33 UTC

closed out as fixed in F20