Bug 182738 - TCP wrappers does not work
TCP wrappers does not work
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: tcp_wrappers (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Janousek
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-24 08:16 EST by Emmanuel Galanos
Modified: 2008-08-02 19:40 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-20 07:05:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Emmanuel Galanos 2006-02-24 08:16:01 EST
Description of problem:

SSHD (or TCP wrappers) does not compare IPv4 addresses as IPv4 addresses
against hosts.{allow,deny}. It seems to use mapped IPv6 addresses. This means
it is broken.

Version-Release number of selected component (if applicable):
4.3p2

How reproducible:
100%

Steps to Reproduce:

Assuming that Host A has IP address of 192.168.1.1 and Host B has IP address
of 192.168.1.2:

1. Edit /etc/hosts.allow on Host A and add the line:

sshd: 192.168.1.2

  Edit /etc/hosts.deny on Host A and add the line:

sshd: ALL

2. Attempt to SSH into Host A from Host B.
  
Actual results:

The connection is refused. /var/log/secure contains:

sshd[2043]: refused connect from ::ffff:192.168.1.2 (::ffff:192.168.1.2)



Expected results:

To allow the connection! Or deny the connection if the rules were setup in
reverse.

Additional info:

This security problem was also reported by someone else in bug 172181 and bug
159268 , but Red Hat staff ignored.
Comment 1 Tomas Mraz 2006-02-24 08:36:32 EST
This is a completely different problem than the one in the bug reports mentioned
above.

SSHD listens on both IPv4 and IPv6 addresses with one socket. The accepted
socket is passed directly to libwrap so it cannot affect how it will take care
of it. Reassigning to tcp_wrappers.
Comment 2 Tomas Janousek 2007-03-09 07:58:39 EST
I'm unable to reproduce this. It just works. Also, looking at the code, there's
no reason why it should not. Are you able to reproduce this with current fc5?
Comment 3 Matthew Miller 2007-04-06 12:40:18 EDT
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.

[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]
Comment 4 Tomas Janousek 2007-04-20 07:05:50 EDT
No answer for more than month and unable to reproduce, closing.

Note You need to log in before you can comment on or make changes to this bug.