Description of problem: hosts.allow(5) says An expression of the form `[n:n:n:n:n:n:n:n/m]\' is interpreted as a `[net/prefixlen]\' pair. but the syntax that works is [n:n:n:n:n:n:n:n]/m with the ] before the / (The [n/m] syntax is SILENTLY IGNORED.) Version-Release number of selected component (if applicable): tcp_wrappers-libs-7.6-73.fc19.x86_64 but the problem also exists under Fedora 18 (and maybe earlier). (The man page is correct in REHL 6.4) How reproducible: Every time. Steps to Reproduce: 1. put sshd: [2001::/16] in /etc/hosts.allow 2. ssh to your box from something with a 2001: IPv6 address 3. be sad when it fails to let you in 4. change to sshd: [2001::]/16 5. rejoice because you and the 50 other IPv6 users can now get in Actual results: hosts.allow blocks access if you follow the manual. Expected results: following the manual should work. Additional info: Patch to the manual page is attached.
Created attachment 770610 [details] correct manual page
I can't reproduce this, both expressions work for me: # echo '' > /etc/hosts.allow # ssh 2620:52:0:2202:221:9bff:fe36:7a22 ssh_exchange_identification: Connection closed by remote host # echo 'sshd: [2620::]/16' > /etc/hosts.allow # ssh 2620:52:0:2202:221:9bff:fe36:7a22 IPv6 addr/mask: 2620::/16 Last login: Tue Jul 9 17:33:39 2013 from rawhide-devel.virt # logout Connection to 2620:52:0:2202:221:9bff:fe36:7a22 closed. # echo 'sshd: [2620::/16]' > /etc/hosts.allow # ssh 2620:52:0:2202:221:9bff:fe36:7a22 IPv6 addr/mask: 2620::/16 Last login: Tue Jul 9 17:36:01 2013 from rawhide-devel.virt # logout Connection to 2620:52:0:2202:221:9bff:fe36:7a22 closed. # rpm -q tcp_wrappers tcp_wrappers-7.6-73.fc19.x86_64
Hmmm... it Still Doesn't Work For Me. But a correction to my bug report: I can reproduce the failure consistently with F18 on both client and server, not F19: tcp_wrappers-7.6-70.fc18.x86_64 It looks like your reproduction was done all on one box. My test case is between two different boxes. Is it possible you're getting some kind of short-circuit to localhost6? Specific test case on the server (at 2001:4:5:6::7) is: # works with next line uncommented sshd: [2001:1:2:3::]/64 # fails if above line is commented and next line is left in sshd: [2001:1:2:3::/64] and login attempts from 2001:1:2:3::4 as ssh 2001:4:5:6::7 date (not the actual addresses) Maybe both are supported in F19? (Fix between -70 and 73?)
You're right, there's a change in the parser between F18 and F19. But, the hosts_access (5) man page on F18 says: # zgrep -A 6 'An expression of the form `\[n:n:n' /usr/share/man/man5/hosts_access.5.gz An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a `[net]/prefixlen\' pair. An IPv6 host address is matched if `prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the address. For example, the [net]/prefixlen pattern `[3ffe:505:2:1::]/64\' matches every address in the range `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. .IP \(bu # rpm -qf /usr/share/man/man5/hosts_access.5.gz tcp_wrappers-libs-7.6-70.fc18.x86_64 This is correct and it works and expected. Is it possible that you have some local changes? Try # rpm -V tcp_wrappers-libs
Wow, this is crazy. You say the parser is changing and now supports both. Apparently the man page, too, has changed. On a current F18 box: f18> zcat /usr/share/man/man5/hosts_access.5.gz |grep 'n:n' An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a f18> rpm -qf /usr/share/man/man5/hosts_access.5.gz tcp_wrappers-libs-7.6-70.fc18.x86_64 On a F19 box: f19> zcat /usr/share/man/man5/hosts_access.5.gz |grep n:n An expression of the form `[n:n:n:n:n:n:n:n/m]\' is interpreted as a f19> rpm -qf /usr/share/man/man5/hosts_access.5.gz tcp_wrappers-libs-7.6-73.fc19.x86_64 tcp_wrappers-libs-7.6-73.fc19.i686 rpm -V tcp_wrappers-libs produces no output on both boxes IMHO the man page should track what works in both cases (that is [n:n:n:n:n:n:n:n/m]) but one could also argue we should just track upstream.
closed out as fixed in F20