Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 982345 - hosts.allow manual has wrong syntax for ipv6 net/prefixlen
Summary: hosts.allow manual has wrong syntax for ipv6 net/prefixlen
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: tcp_wrappers
Version: 19
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-08 18:36 UTC by John Heidemann
Modified: 2014-05-20 05:53 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-20 05:53:33 UTC


Attachments (Terms of Use)
correct manual page (deleted)
2013-07-08 18:36 UTC, John Heidemann
no flags Details | Diff

Description John Heidemann 2013-07-08 18:36:16 UTC
Description of problem:

hosts.allow(5) says 
  An expression of the form `[n:n:n:n:n:n:n:n/m]\' is interpreted as a
  `[net/prefixlen]\' pair.
but the syntax that works is
  [n:n:n:n:n:n:n:n]/m
with the ] before the /

(The [n/m] syntax is SILENTLY IGNORED.)

Version-Release number of selected component (if applicable):
tcp_wrappers-libs-7.6-73.fc19.x86_64

but the problem also exists under Fedora 18 (and maybe earlier).
(The man page is correct in REHL 6.4)

How reproducible:
Every time.

Steps to Reproduce:
1. put sshd: [2001::/16] in /etc/hosts.allow
2. ssh to your box from something with a 2001: IPv6 address
3. be sad when it fails to let you in
4. change to sshd: [2001::]/16
5. rejoice because you and the 50 other IPv6 users can now get in

Actual results:
hosts.allow blocks access if you follow the manual.

Expected results:
following the manual should work.

Additional info:
Patch to the manual page is attached.

Comment 1 John Heidemann 2013-07-08 18:36:49 UTC
Created attachment 770610 [details]
correct manual page

Comment 2 Petr Lautrbach 2013-07-09 15:43:10 UTC
I can't reproduce this, both expressions work for me:

# echo '' > /etc/hosts.allow
# ssh 2620:52:0:2202:221:9bff:fe36:7a22
ssh_exchange_identification: Connection closed by remote host

# echo 'sshd: [2620::]/16' > /etc/hosts.allow
# ssh 2620:52:0:2202:221:9bff:fe36:7a22
IPv6 addr/mask: 2620::/16
Last login: Tue Jul  9 17:33:39 2013 from rawhide-devel.virt
# logout
Connection to 2620:52:0:2202:221:9bff:fe36:7a22 closed.

# echo 'sshd: [2620::/16]' > /etc/hosts.allow
# ssh 2620:52:0:2202:221:9bff:fe36:7a22
IPv6 addr/mask: 2620::/16
Last login: Tue Jul  9 17:36:01 2013 from rawhide-devel.virt
# logout
Connection to 2620:52:0:2202:221:9bff:fe36:7a22 closed.

# rpm -q tcp_wrappers
tcp_wrappers-7.6-73.fc19.x86_64

Comment 3 John Heidemann 2013-07-10 03:48:02 UTC
Hmmm... it Still Doesn't Work For Me.
But a correction to my bug report:
I can reproduce the failure consistently with F18 on both client and server, not F19:
tcp_wrappers-7.6-70.fc18.x86_64

It looks like your reproduction was done all on one box.
My test case is between two different boxes.
Is it possible you're getting some kind of short-circuit to localhost6?

Specific test case on the server (at 2001:4:5:6::7) is:
# works with next line uncommented
sshd: [2001:1:2:3::]/64
# fails if above line is commented and next line is left in
sshd: [2001:1:2:3::/64]

and login attempts from 2001:1:2:3::4 as
ssh 2001:4:5:6::7 date

(not the actual addresses)

Maybe both are supported in F19?  (Fix between -70 and 73?)

Comment 4 Petr Lautrbach 2013-07-10 06:49:18 UTC
You're right, there's a change in the parser between F18 and F19. But, the hosts_access (5) man page on F18 says:

# zgrep -A 6 'An expression of the form `\[n:n:n' /usr/share/man/man5/hosts_access.5.gz
An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
`[net]/prefixlen\' pair. An IPv6 host address is matched if
`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
address. For example, the [net]/prefixlen pattern
`[3ffe:505:2:1::]/64\' matches every address in the range
`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
.IP \(bu


# rpm -qf /usr/share/man/man5/hosts_access.5.gz 
tcp_wrappers-libs-7.6-70.fc18.x86_64


This is correct and it works and expected. Is it possible that you have some local changes? Try

# rpm -V tcp_wrappers-libs

Comment 5 John Heidemann 2013-07-10 14:36:48 UTC
Wow, this is crazy.  You say the parser is changing and now supports both.  Apparently the man page, too, has changed.

On a current F18 box:
f18> zcat /usr/share/man/man5/hosts_access.5.gz |grep 'n:n'
An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
f18> rpm -qf /usr/share/man/man5/hosts_access.5.gz
tcp_wrappers-libs-7.6-70.fc18.x86_64


On a F19 box:
f19> zcat /usr/share/man/man5/hosts_access.5.gz |grep n:n
An expression of the form `[n:n:n:n:n:n:n:n/m]\' is interpreted as a
f19> rpm -qf /usr/share/man/man5/hosts_access.5.gz 
tcp_wrappers-libs-7.6-73.fc19.x86_64
tcp_wrappers-libs-7.6-73.fc19.i686

rpm -V tcp_wrappers-libs produces no output on both boxes

IMHO the man page should track what works in both cases
(that is [n:n:n:n:n:n:n:n/m])
but one could also argue we should just track upstream.

Comment 6 John Heidemann 2014-05-20 05:53:33 UTC
closed out as fixed in F20


Note You need to log in before you can comment on or make changes to this bug.