Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Class-imposed login restrictions (simplified) #262

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Class-imposed login restrictions (simplified) #262

wants to merge 1 commit into from

Conversation

yuichiro-naito
Copy link

@yuichiro-naito yuichiro-naito commented Jun 28, 2021
edited

If the following functions are available, add an additional check if users are allowed to login imposed by login class.

  • auth_hostok(3)
  • auth_timeok(3)

These functions are implemented on FreeBSD.

After I got the advice in the #261,
I changed my patch not to leak any informations includes behaviors when authentication is failed.

@yuichiro-naito
Copy link
Author

I updated my patch not to log a message when authentication is failed.
I re-considered not to leak any informations about authentication failure.
If syslog is sent over the network, it is possible to detect the reason by watching the packets.
So I changed log message to debug.

Please review my code for merging.

@emaste
Copy link

emaste commented Aug 31, 2021

I'd suggest squashing the two commits into one.

I've mentioned this pull request on the openssh mailing list, and am preparing to update FreeBSD's base system OpenSSH w/ this patch.

@emaste
Copy link

emaste commented Aug 31, 2021

Review to apply this change to (the older) OpenSSH in the FreeBSD base system: https://reviews.freebsd.org/D31760

@yuichiro-naito
Class-imposed login restrictions
974a048 
If the following functions are available,
add an additional check if users are allowed to login imposed by login class.

* auth_hostok(3)
* auth_timeok(3)

These functions are implemented on FreeBSD.
@yuichiro-naito yuichiro-naito force-pushed the class_imposed_login_restrictions_attempt_2 branch from 2b4adf5 to 974a048 Compare September 1, 2021 01:20
@yuichiro-naito
Copy link
Author

Thanks for the comment.
I squashed my commits into one and force pushed.

freebsd-git pushed a commit to freebsd/freebsd-src that referenced this pull request Sep 1, 2021
@emaste
openssh: simplify login class restrictions
27ceebb 
Login class-based restrictions were introduced in 5b400a3.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a, bd393de, and
e8c56fb.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	openssh/openssh-portable#262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760
@emaste
Copy link

emaste commented Sep 1, 2021

Now committed to FreeBSD base system: https://reviews.freebsd.org/R10:27ceebbc2402e4c98203c7eef9696f4bd3d326f8

emaste added a commit to emaste/freebsd that referenced this pull request Sep 15, 2021
@emaste
openssh: simplify login class restrictions
a361157 
Login class-based restrictions were introduced in 5b400a3.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a, bd393de, and
e8c56fb.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	openssh/openssh-portable#262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760

(cherry picked from commit 27ceebb)
emaste added a commit to emaste/freebsd that referenced this pull request Sep 15, 2021
@emaste
openssh: simplify login class restrictions
004cc80 
Login class-based restrictions were introduced in 5b400a3.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a, bd393de, and
e8c56fb.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	openssh/openssh-portable#262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760

(cherry picked from commit 27ceebb)
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this pull request Sep 15, 2021
@emaste
openssh: simplify login class restrictions
2198a30 
Login class-based restrictions were introduced in 5b400a3.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a, bd393de, and
e8c56fb.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	openssh/openssh-portable#262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760

(cherry picked from commit 27ceebb)
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this pull request Sep 15, 2021
@emaste
openssh: simplify login class restrictions
719cb45 
Login class-based restrictions were introduced in 5b400a3.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a, bd393de, and
e8c56fb.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	openssh/openssh-portable#262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760

(cherry picked from commit 27ceebb)
bsdjhb pushed a commit to bsdjhb/cheribsd that referenced this pull request Dec 29, 2021
@emaste @bsdjhb
openssh: simplify login class restrictions
a658ff2 
Login class-based restrictions were introduced in 5b400a3.  The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a, bd393de, and
e8c56fb.

During an attempt to upstream the work a much simpler approach was
suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by:	Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from:	openssh/openssh-portable#262
Reviewed by:	allanjude, kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D31760
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@yuichiro-naito @emaste