Description of problem: SSHD (or TCP wrappers) does not compare IPv4 addresses as IPv4 addresses against hosts.{allow,deny}. It seems to use mapped IPv6 addresses. This means it is broken. Version-Release number of selected component (if applicable): 4.3p2 How reproducible: 100% Steps to Reproduce: Assuming that Host A has IP address of 192.168.1.1 and Host B has IP address of 192.168.1.2: 1. Edit /etc/hosts.allow on Host A and add the line: sshd: 192.168.1.2 Edit /etc/hosts.deny on Host A and add the line: sshd: ALL 2. Attempt to SSH into Host A from Host B. Actual results: The connection is refused. /var/log/secure contains: sshd[2043]: refused connect from ::ffff:192.168.1.2 (::ffff:192.168.1.2) Expected results: To allow the connection! Or deny the connection if the rules were setup in reverse. Additional info: This security problem was also reported by someone else in bug 172181 and bug 159268 , but Red Hat staff ignored.
This is a completely different problem than the one in the bug reports mentioned above. SSHD listens on both IPv4 and IPv6 addresses with one socket. The accepted socket is passed directly to libwrap so it cannot affect how it will take care of it. Reassigning to tcp_wrappers.
I'm unable to reproduce this. It just works. Also, looking at the code, there's no reason why it should not. Are you able to reproduce this with current fc5?
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer test releases. We're cleaning up the bug database and making sure important bug reports filed against these test releases don't get lost. It would be helpful if you could test this issue with a released version of Fedora or with the latest development / test release. Thanks for your help and for your patience. [This is a bulk message for all open FC5/FC6 test release bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]
No answer for more than month and unable to reproduce, closing.