On 26.01.2017 16:40, Josef Moellers wrote: > Hi, > The following specification in access.conf does not work as expected: > -:username:ALL EXCEPT localhost > The manual page access.conf.5 claims that the third field may contain > host names, but the code only checks for numerical IP addresses by > calling inet_pton(). > Is this desired behavior or am I missing something. > I'm willing to write a patch. I suspect that "tok" and "string" need to be swapped in the second half of network_netmask_match(): Index: modules/pam_access/pam_access.c =================================================================== --- modules/pam_access/pam_access.c.orig +++ modules/pam_access/pam_access.c @@ -742,12 +742,12 @@ network_netmask_match (pam_handle_t *pam } else /* NO, then check if it is only an addr */ - if (isipaddr(tok, NULL, NULL) != YES) + if (isipaddr(string, NULL, NULL) != YES) { return NO; } - if (isipaddr(string, NULL, NULL) != YES) + if (isipaddr(tok, NULL, NULL) != YES) { /* Assume network/netmask with a name of a host. */ struct addrinfo hint; @@ -759,7 +759,7 @@ network_netmask_match (pam_handle_t *pam if (item->gai_rv != 0) return NO; else if (!item->res && - (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0) + (item->gai_rv = getaddrinfo (tok, NULL, &hint, &item->res)) != 0) return NO; else { @@ -775,7 +775,7 @@ network_netmask_match (pam_handle_t *pam : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, buf, sizeof (buf)); - if (are_addresses_equal(buf, tok, netmask_ptr)) + if (are_addresses_equal(buf, string, netmask_ptr)) { return YES; } Josef _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list