Hello,
I have just found little bug in OpenSSH's tcp_wrappers handling.
In file sshd.c you can find:
if (!hosts_access(&req)) {
close(sock_in);
close(sock_out);
refuse(&req);
}
If username was not requierd for authorization (for example
you are refusing all connection from specific host) refuse will
return "sshd: refused connect from root at some.host.name".
This happend becouse user name is checked by eval_client()
from refuse() when the connection is allready closed by the:
close(sock_in);
close(sock_out);
Hopefully username and hostname informations are cached so it is easy
to fix it - it is enough to add:
eval_client(&req)
before:
close(sock_in);
close(sock_out);
And now, when sshd.c call refuse(&req) username is known so a proper
user name will be send to system logs.
Best regards,
Krzysztof Oledzki
