On Wed, Apr 09, Petr Pisar wrote: > Hello, > > I'm very glad for IPv6 support in pam_access. However I met a problem > that line > > -:user:ALL EXCEPT LOCAL > > allows logging via IPv6 protocol (PAM_RHOST is something like > 2001:abcd::1). > > According manual page the LOCAL keyword matches all tokens without '.' > (dot) character. The motivation is clear: domain names and IPv4 > addresses contains dot, so local logins (from console or local X11 > display) can be matched. Accidently, "new" IP protocol has addresses > without dots. So, rigid semantic and human interception don't align. > > Thus, I ask: Should we change the dot rule or should we add remarks to > documentation about it? The problem is that the LOCAL keyword does not work in even more cases. Currently my suggestion would be, to change the code in the following way: If PAM_RHOST is set, we are always remote and deny access, else we are always local. This still would allow remote connections in some circumstances, but not more than before. And would solve the problems, where local hostnames without domain are used. But this change would be done only with Linux-PAM 1.1. Thorsten -- Thorsten Kukuk, Project Manager/Release Manager SLES SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
