On Thu, 21 Sep 2000, Matilainen Panu (NRC/Helsinki) wrote:
> You might want to look at xinetd which will replace inetd in RH7.0. I
> don't have real world experience with it but the feature list seems nice
> regarding access control & others as well. It's at
> http://www.synack.net/xinetd
No, xinetd host access controls are not any better than in tcp_wrappers in
this aspect.
However, I took some code from the last GPL version of SSH, works fine.
Patch attached. Comments welcome.
--
Pekka Savola "Tell me of difficulties surmounted,
[EMAIL PROTECTED] not those you stumble over and fall"
diff -uNr tcp_wrappers_7.6/hosts_access.5 tcp_wrappers_7.6.new/hosts_access.5
--- tcp_wrappers_7.6/hosts_access.5 Fri Sep 22 21:29:24 2000
+++ tcp_wrappers_7.6.new/hosts_access.5 Fri Sep 22 21:28:44 2000
@@ -96,6 +96,10 @@
zero or more lines with zero or more host name or address patterns
separated by whitespace. A file name pattern can be used anywhere
a host name or address pattern can be used.
+.IP \(bu
+Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
+method of matching cannot be used in conjunction with `net/mask\' matching,
+hostname matching beginning with `.\' or IP address matching ending with `.\'.
.SH WILDCARDS
The access control language supports explicit wildcards:
.IP ALL
diff -uNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.new/hosts_access.c
--- tcp_wrappers_7.6/hosts_access.c Fri Sep 22 21:29:24 2000
+++ tcp_wrappers_7.6.new/hosts_access.c Fri Sep 22 21:18:09 2000
@@ -311,6 +311,11 @@
{
int n;
+#ifndef DISABLE_WILDCARD_MATCHING
+ if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */
+ return (match_pattern_ylo(string,tok));
+ } else
+#endif
if (tok[0] == '.') { /* suffix */
n = strlen(string) - strlen(tok);
return (n > 0 && STR_EQ(tok, string + n));
@@ -351,3 +356,71 @@
}
return ((addr & mask) == net);
}
+
+#ifndef DISABLE_WILDCARD_MATCHING
+/* Note: this feature has been adapted in a pretty straightforward way
+ from Tatu Ylonen's last SSH version under GPL license by
+ Pekka Savola <[EMAIL PROTECTED]>.
+
+ Copyright (c) 1995 Tatu Ylonen <[EMAIL PROTECTED]>, Espoo, Finland
+*/
+
+/* Returns true if the given string matches the pattern (which may contain
+ ? and * as wildcards), and zero if it does not match. */
+
+int match_pattern_ylo(const char *s, const char *pattern)
+{
+ while (1)
+ {
+ /* If at end of pattern, accept if also at end of string. */
+ if (!*pattern)
+ return !*s;
+
+ /* Process '*'. */
+ if (*pattern == '*')
+ {
+ /* Skip the asterisk. */
+ pattern++;
+
+ /* If at end of pattern, accept immediately. */
+ if (!*pattern)
+ return 1;
+
+ /* If next character in pattern is known, optimize. */
+ if (*pattern != '?' && *pattern != '*')
+ {
+ /* Look instances of the next character in pattern, and try
+ to match starting from those. */
+ for (; *s; s++)
+ if (*s == *pattern &&
+ match_pattern_ylo(s + 1, pattern + 1))
+ return 1;
+ /* Failed. */
+ return 0;
+ }
+
+ /* Move ahead one character at a time and try to match at each
+ position. */
+ for (; *s; s++)
+ if (match_pattern_ylo(s, pattern))
+ return 1;
+ /* Failed. */
+ return 0;
+ }
+
+ /* There must be at least one more character in the string. If we are
+ at the end, fail. */
+ if (!*s)
+ return 0;
+
+ /* Check if the next character of the string is acceptable. */
+ if (*pattern != '?' && *pattern != *s)
+ return 0;
+
+ /* Move to the next character, both in string and in pattern. */
+ s++;
+ pattern++;
+ }
+ /*NOTREACHED*/
+}
+#endif /* DISABLE_WILDCARD_MATCHING */
