New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Class-imposed login restrictions (simplified) #262
base: master
Are you sure you want to change the base?
Class-imposed login restrictions (simplified) #262
Conversation
|
I updated my patch not to log a message when authentication is failed. Please review my code for merging. |
|
I'd suggest squashing the two commits into one. I've mentioned this pull request on the openssh mailing list, and am preparing to update FreeBSD's base system OpenSSH w/ this patch. |
|
Review to apply this change to (the older) OpenSSH in the FreeBSD base system: https://reviews.freebsd.org/D31760 |
If the following functions are available, add an additional check if users are allowed to login imposed by login class. * auth_hostok(3) * auth_timeok(3) These functions are implemented on FreeBSD.
2b4adf5
to
974a048
Compare
|
Thanks for the comment. |
Login class-based restrictions were introduced in 5b400a3. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a, bd393de, and e8c56fb. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: openssh/openssh-portable#262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760
|
Now committed to FreeBSD base system: https://reviews.freebsd.org/R10:27ceebbc2402e4c98203c7eef9696f4bd3d326f8 |
Login class-based restrictions were introduced in 5b400a3. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a, bd393de, and e8c56fb. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: openssh/openssh-portable#262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 (cherry picked from commit 27ceebb)
Login class-based restrictions were introduced in 5b400a3. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a, bd393de, and e8c56fb. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: openssh/openssh-portable#262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 (cherry picked from commit 27ceebb)
Login class-based restrictions were introduced in 5b400a3. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a, bd393de, and e8c56fb. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: openssh/openssh-portable#262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 (cherry picked from commit 27ceebb)
Login class-based restrictions were introduced in 5b400a3. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a, bd393de, and e8c56fb. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: openssh/openssh-portable#262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 (cherry picked from commit 27ceebb)
Login class-based restrictions were introduced in 5b400a3. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a, bd393de, and e8c56fb. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: openssh/openssh-portable#262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760
If the following functions are available, add an additional check if users are allowed to login imposed by login class.
These functions are implemented on FreeBSD.
After I got the advice in the #261,
I changed my patch not to leak any informations includes behaviors when authentication is failed.