White-listing IP-numbers or networks doesn't work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam-shield (Debian) |
Fix Released
|
Unknown
|
|||
pam-shield (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Ubuntu version: 15.04
Package: libpam-shield, version 0.9.6-1.1
Allow statements in the configuration file (/etc/security/
After trying to connect from my workstation at 172.16.0.52 I'm getting this in auth.log.
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: this is version 0.9.6
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: reading config file '/etc/security/
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: logging debug info
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: allowing from localhost
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: allowing from 127.0.0.1/255.0.0.0
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: allowing from 172.16.
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: allowing from 172.16.
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: done reading config file, 0 errors
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: user test
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: remotehost 172.16.0.52
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: missing DNS entry for 172.16.0.52 (allowed)
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: remoteip 172.16.0.52
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: 10 times from 172.16.0.52
May 14 12:52:44 VB-k64-1504 PAM-shield[2978]: running command 'add 172.16.0.52'
May 14 12:52:44 VB-k64-1504 shield-
Connecting from a host that has a name seems to work, like connecting from localhost or if I add the 172.16.0.52 machine to /etc/hosts and use the name instead of IP in the config file.
According to the documentation in the default config file you should be able to use both IP-numbers and network addresses in "allow" statements.
Changed in pam-shield (Debian): | |
status: | Unknown → Confirmed |
Changed in pam-shield (Debian): | |
status: | Confirmed → Fix Released |
Hi Jonas--
Thanks for the report. If I recall correctly, "allow_missing_dns no" overrides "allow" entires (despite the "passed through with no checks" in the man page, I probably miswrote there) -- the DNS check comes first. I'll take a look and at very least update the documentation, but I do think it makes sense to let "allow" skip the DNS checks if it's numeric.
In the meantime, try "allow_missing_dns yes" and "allow_ missing_ reverse yes" if you feel comfortable with the security/ attribution implications.
Note that the chance of upstream changes showing up in Ubuntu is quite low; I finally orphaned the package in Debian since it would take months and, sometimes, years to get a sponsor for the upload.