Mailinglist Archive: opensuse-bugs (4247 mails)

< Previous Next >
[Bug 1019866] New: pam_access.so is not supporting a keywords like LOCAL (man access.conf)
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 13 Jan 2017 14:04:06 +0000
  • Message-id: <bug-1019866-21960@http.bugzilla.novell.com/>
http://bugzilla.novell.com/show_bug.cgi?id=1019866


Bug ID: 1019866
Summary: pam_access.so is not supporting a keywords like LOCAL
(man access.conf)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: nettezzaumanaa@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

hello geeko minions ....

I've found in 42.2 a minor problem with pam_access.so .. It is not supporting
keywords described in man page (and that are supported elswhere) so for example
instead of ``-:root:ALL EXCEPT LOCAL'' you have to specify full network
addresses like this: ``-:root:ALL EXCEPT 127.0.0.0/8 ::1'' ..

`localhost' shall be supported also, so ``-:root:ALL EXCEPT localhost'' is also
supposed to be working ...

howto reproduce:

1) add to your /etc/pam.d/sshd a ``account required pam_access.so'' and restart
(for safe) sshd

2) assuming you have PermitRootLogin yes (but you can test it with whatever
user you want but I now follow with root) add variants of access.conf line from
above to /etc/security/access.conf ...

It's clear, that LOCAL or localhost keywords are not working and you have to
explicitely specify there a localhost networks (both ipv4 and ipv6) .. after
that your ssh root@localhost will work ...

regards, daniel

ps. fully up-to-date 42.2 (13.1.2017)

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages