Closed alejandro-colomar closed 3 hours ago
@ikerexxe I'm not sure how much dead code we can remove here. Please check thoroughly.
I'm all for cutting dead ends, but I'll note ax25-tools still passes -h
to login. Maybe that is fine, I don't know.
I'm all for cutting dead ends, but I'll note ax25-tools still passes
-h
to login. Maybe that is fine, I don't know.
Is that project alive? I've tried finding their source code, but:
$ apt-cache show ax25-tools | grep Homepage: | awk '{print $2}' | xargs wget
--2024-06-24 21:52:08-- http://www.linux-ax25.org/wiki/Main_Page
Resolving www.linux-ax25.org (www.linux-ax25.org)... failed: Name or service not known.
wget: unable to resolve host address ‘www.linux-ax25.org’
Then went to https://www.kernel.org/doc/html/latest/networking/ax25.html which has a link to the utils at https://linux-ax25.in-berlin.de/, which is also a dead link.
I'm all for cutting dead ends, but I'll note ax25-tools still passes
-h
to login. Maybe that is fine, I don't know.Is that project alive?
Maybe? It seems to get new versions in Debian every so often
[..] Then went to https://www.kernel.org/doc/html/latest/networking/ax25.html which has a link to the utils at https://linux-ax25.in-berlin.de/, which is also a dead link.
https://linux-ax25.in-berlin.de/cgit/ax25-tools.git/ seems to load, if slowly.
I'm all for cutting dead ends, but I'll note ax25-tools still passes
-h
to login. Maybe that is fine, I don't know.
Can you please point to the specific line of code?
alx@debian:/tmp/tmp/ax25-tools$ grep -rn 'login.*-h'
alx@debian:/tmp/tmp/ax25-tools$
I'm all for cutting dead ends, but I'll note ax25-tools still passes
-h
to login. Maybe that is fine, I don't know.Can you please point to the specific line of code?
Oh! One other minor thing that occurred to me... axspawn
plugs the radio protocol into the hostname field via -h
, and it is conceivable that someone could be matching against that in the pre-PAM login config file; thus, a user might be allowed to login via AX.25 but not via NET/ROM or something like that. With this change, I believe that is no longer possible.
For the record, I do not believe that anyone is actually doing that, but it may be worth noting in the commit.
Oh! One other minor thing that occurred to me...
axspawn
plugs the radio protocol into the hostname field via-h
, and it is conceivable that someone could be matching against that in the pre-PAM login config file; thus, a user might be allowed to login via AX.25 but not via NET/ROM or something like that. With this change, I believe that is no longer possible.For the record, I do not believe that anyone is actually doing that, but it may be worth noting in the commit.
Thanks! Since I don't know much about those protocols, I fear I won't be able to write something clear. Would you mind sending a proposal of text to go to the commit messages (and specify to which commits they apply)? You'll probably write something more useful than I could.
Oh! One other minor thing that occurred to me...
axspawn
plugs the radio protocol into the hostname field via-h
, and it is conceivable that someone could be matching against that in the pre-PAM login config file; thus, a user might be allowed to login via AX.25 but not via NET/ROM or something like that. With this change, I believe that is no longer possible. For the record, I do not believe that anyone is actually doing that, but it may be worth noting in the commit.Thanks! Since I don't know much about those protocols, I fear I won't be able to write something clear. Would you mind sending a proposal of text to go to the commit messages (and specify to which commits they apply)? You'll probably write something more useful than I could.
Maybe something like,
"Note that this change means that comparisons against the hostname in login.access
no longer apply for names other than whatever has been assigned to the local system. For the axspawn
program from the AX.25 suite, this applies to the protocol as well."
Why do these topics always come up when I have zero time to take care of it? Anyway:
Oh! One other minor thing that occurred to me...
axspawn
plugs the radio protocol into the hostname field via-h
, and it is conceivable that someone could be matching against that in the pre-PAM login config file; thus, a user might be allowed to login via AX.25 but not via NET/ROM or something like that. With this change, I believe that is no longer possible.
That was the original intention back then IIRC, but I used to run plain AX.25 only and I honestly don't know who is still using axspawn these days. Back when it was written, cryptographically secured communication of any kind was not allowed to even secure the login process (in Germany at least), and besides, TCP/IP over 1200 bit/s radio connections is a PITA, so SSH was not possible in many cases. Also, automated ham radio stations rarely had access to the Internet back then. Looking at the code today it should probably be rewritten to utilize the PAM stack directly, but I don't have any AX.25 setup operational right now.
The current maintainer of ax25-tools is Thomas DL9SAU (@dl9sau here on Github), if you're dropping the "-h" flag with an argument from login he may want to know about it...
Thanks @woelfisch !
Let's wait for @dl9sau to comment.
The current maintainer of ax25-tools is Thomas DL9SAU (@dl9sau here on Github), if you're dropping the "-h" flag with an argument from login he may want to know about it...
He NAKed the change. I'll close this PR. It seems this feature is still needed by some users.
Revisions:
v1b
- Reviewed-by: @dancrossnyc - Add @dancrossnyc 's comment to the commit message. (v1c
- Rebase ``` $ git range-diff alx/master..gh/telnetd shadow/master..telnetd 1: 55c5a072 = 1: ddabc1e0 src/login.c: Remove support for telnetd in login(1), that is, remove the '-h' flag 2: e3a4c1ec = 2: 43b8d123 src/login.c: The only reason is PW_LOGIN 3: cd4f2cfe = 3: b112ffb6 lib/, src/login.c: hostname is always "" 4: 7e80f6ba = 4: 96754035 src/login_nopam.c: Remove support for innetgr(3) 5: 595c3f3b = 5: 7273d687 src/login_nopam.c: Remove support for network hostnames ```v1d
- Rebase ``` $ git range-diff master..gh/telnetd shadow/master..telnetd 1: ddabc1e0 = 1: 333092e6 src/login.c: Remove support for telnetd in login(1), that is, remove the '-h' flag 2: 43b8d123 = 2: c734b2e2 src/login.c: The only reason is PW_LOGIN 3: b112ffb6 ! 3: d1dbd06b lib/, src/login.c: hostname is always "" @@ lib/utmp.c: prepare_utmp(const char *name, const char *line, const char *host, -- if ( (NULL != host) -- && ('\0' != host[0])) { -- hostname = XMALLOC(strlen(host) + 1, char); -- strcpy (hostname, host); +- if (NULL != host && '\0' != host[0]) +- hostname = xstrdup(host); #if defined(HAVE_STRUCT_UTMPX_UT_HOST) -- } else if ( (NULL != ut) -- && ('\0' != ut->ut_host[0])) { -+ if (NULL != ut && '\0' != ut->ut_host[0]) { - hostname = XMALLOC(NITEMS(ut->ut_host) + 1, char); - ZUSTR2STP(hostname, ut->ut_host); --#endif - } -+#endif +- else if (NULL != ut && '\0' != ut->ut_host[0]) ++ if (NULL != ut && '\0' != ut->ut_host[0]) + hostname = XSTRNDUP(ut->ut_host); + #endif - if (strncmp(line, "/dev/", 5) == 0) { - line += 5; @@ lib/utmp.c: setutmp(struct utmpx *ut) 4: 96754035 = 4: 8a1d3f38 src/login_nopam.c: Remove support for innetgr(3) 5: 7273d687 = 5: 01a474c2 src/login_nopam.c: Remove support for network hostnames ```v1e
- Rebase ``` $ git range-diff master..gh/telnetd shadow/master..telnetd 1: 333092e6 = 1: 1dd08490 src/login.c: Remove support for telnetd in login(1), that is, remove the '-h' flag 2: c734b2e2 = 2: d7cfb4fe src/login.c: The only reason is PW_LOGIN 3: d1dbd06b = 3: 8776c239 lib/, src/login.c: hostname is always "" 4: 8a1d3f38 = 4: 61ba2e8b src/login_nopam.c: Remove support for innetgr(3) 5: 01a474c2 = 5: d1ac2677 src/login_nopam.c: Remove support for network hostnames ```v1f
- Rebase ``` $ git range-diff alx/master..gh/telnetd shadow/master..telnetd 1: 1dd08490 = 1: 3e61cc62 src/login.c: Remove support for telnetd in login(1), that is, remove the '-h' flag 2: d7cfb4fe = 2: 8f267484 src/login.c: The only reason is PW_LOGIN 3: 8776c239 = 3: 36c5b421 lib/, src/login.c: hostname is always "" 4: 61ba2e8b ! 4: 560c86c7 src/login_nopam.c: Remove support for innetgr(3) @@ src/login_nopam.c: static char *myhostname (void) /* user_match - match a username against one token */ static bool user_match (const char *tok, const char *string) @@ src/login_nopam.c: static bool user_match (const char *tok, const char *string) - *at = '\0'; + stpcpy(at, ""); return ( user_match (tok, string) && from_match (at + 1, myhostname ())); -#if HAVE_INNETGR 5: d1ac2677 ! 5: d72ab137 src/login_nopam.c: Remove support for network hostnames @@ src/login_nopam.c -#includev1g
- Rebase ``` $ git range-diff gh/master..gh/telnetd shadow/master..telnetd 1: 3e61cc62 = 1: f1747f09 src/login.c: Remove support for telnetd in login(1), that is, remove the '-h' flag 2: 8f267484 = 2: 5c867dc4 src/login.c: The only reason is PW_LOGIN 3: 36c5b421 = 3: f7eed6e0 lib/, src/login.c: hostname is always "" 4: 560c86c7 = 4: 92a52cfa src/login_nopam.c: Remove support for innetgr(3) 5: d72ab137 = 5: 8c5bb461 src/login_nopam.c: Remove support for network hostnames ```v1h
- Rebase ``` $ git range-diff gh/master..gh/telnetd master..telnetd 1: f1747f09 = 1: 82cf81db src/login.c: Remove support for telnetd in login(1), that is, remove the '-h' flag 2: 5c867dc4 = 2: d00cdd1d src/login.c: The only reason is PW_LOGIN 3: f7eed6e0 = 3: 04eced12 lib/, src/login.c: hostname is always "" 4: 92a52cfa ! 4: a74714bc src/login_nopam.c: Remove support for innetgr(3) @@ src/login_nopam.c: static char *myhostname (void) /* user_match - match a username against one token */ static bool user_match (const char *tok, const char *string) @@ src/login_nopam.c: static bool user_match (const char *tok, const char *string) - stpcpy(at, ""); - return ( user_match (tok, string) - && from_match (at + 1, myhostname ())); + host = stpsep(tok + 1, "@"); /* split user@host pattern */ + if (host != NULL) { + return user_match(tok, string) && from_match(host, myhostname()); -#if HAVE_INNETGR - } else if (tok[0] == '@') { /* netgroup */ - return (netgroup_match (tok + 1, NULL, string)); 5: 8c5bb461 = 5: 58050db0 src/login_nopam.c: Remove support for network hostnames ```v1i
- Rebase ``` $ git range-diff master..gh/telnetd shadow/master..telnetd 1: 82cf81db = 1: afd8af13 src/login.c: Remove support for telnetd in login(1), that is, remove the '-h' flag 2: d00cdd1d = 2: 71215b6d src/login.c: The only reason is PW_LOGIN 3: 04eced12 = 3: 629c244a lib/, src/login.c: hostname is always "" 4: a74714bc = 4: 7a262ad8 src/login_nopam.c: Remove support for innetgr(3) 5: 58050db0 = 5: 4a9e3ce7 src/login_nopam.c: Remove support for network hostnames ```