-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathopenssh-3.6.1p2-cvs-20030603-UseDNS.diff
438 lines (403 loc) · 14.5 KB
/
openssh-3.6.1p2-cvs-20030603-UseDNS.diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
Index: openssh/ChangeLog
diff -u openssh/ChangeLog:1.2648.2.1 openssh/ChangeLog:1.2765 (edited)
--- openssh/ChangeLog:1.2648.2.1 Tue Apr 29 11:12:07 2003
+++ openssh/ChangeLog Tue Jun 3 02:25:48 2003
@@ -1,3 +1,16 @@
+20030603
+ - (djm) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2003/06/02 09:17:34
+ [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
+ [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
+ [sshd_config.5]
+ deprecate VerifyReverseMapping since it's dangerous if combined
+ with IP based access control as noted by Mike Harding; replace with
+ a UseDNS option, UseDNS is on by default and includes the
+ VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
+ ok deraadt@, djm@
+ - (djm) Fix portable-specific uses of verify_reverse_mapping too
+
20030429
- (djm) Add back radix.o (used by AFS support), after it went missing from
Makefile many moons ago
@@ -1303,3 +1316,4 @@
ok provos@
$Id: ChangeLog,v 1.2648.2.1 2003/04/29 09:12:07 djm Exp $
+$Id: ChangeLog,v 1.2765 2003/06/03 00:25:48 djm Exp $ (last change only)
Index: openssh/auth-options.c
diff -u openssh/auth-options.c:1.24 openssh/auth-options.c:1.26
--- openssh/auth-options.c:1.24 Wed Apr 9 12:59:48 2003
+++ openssh/auth-options.c Tue Jun 3 02:25:48 2003
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.26 2002/07/30 17:03:55 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.28 2003/06/02 09:17:34 markus Exp $");
#include "xmalloc.h"
#include "match.h"
@@ -173,7 +173,7 @@
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
const char *remote_ip = get_remote_ipaddr();
const char *remote_host = get_canonical_hostname(
- options.verify_reverse_mapping);
+ options.use_dns);
char *patterns = xmalloc(strlen(opts) + 1);
opts += strlen(cp);
Index: openssh/auth-rh-rsa.c
diff -u openssh/auth-rh-rsa.c:1.31 openssh/auth-rh-rsa.c:1.33
--- openssh/auth-rh-rsa.c:1.31 Wed Apr 9 12:59:48 2003
+++ openssh/auth-rh-rsa.c Tue Jun 3 02:25:48 2003
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.34 2002/03/25 09:25:06 markus Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $");
#include "packet.h"
#include "uidswap.h"
@@ -63,7 +63,7 @@
client_host_key->rsa == NULL)
return 0;
- chost = (char *)get_canonical_hostname(options.verify_reverse_mapping);
+ chost = (char *)get_canonical_hostname(options.use_dns);
debug("Rhosts RSA authentication: canonical host %.900s", chost);
if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
Index: openssh/auth-rhosts.c
diff -u openssh/auth-rhosts.c:1.25 openssh/auth-rhosts.c:1.26
--- openssh/auth-rhosts.c:1.25 Sun May 18 12:53:10 2003
+++ openssh/auth-rhosts.c Tue Jun 3 02:25:48 2003
@@ -156,7 +156,7 @@
{
const char *hostname, *ipaddr;
- hostname = get_canonical_hostname(options.verify_reverse_mapping);
+ hostname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
return auth_rhosts2(pw, client_user, hostname, ipaddr);
}
Index: openssh/auth.c
diff -u openssh/auth.c:1.72 openssh/auth.c:1.73
--- openssh/auth.c:1.72 Wed May 14 07:11:48 2003
+++ openssh/auth.c Tue Jun 3 02:25:48 2003
@@ -141,7 +141,7 @@
}
if (options.num_deny_users > 0 || options.num_allow_users > 0) {
- hostname = get_canonical_hostname(options.verify_reverse_mapping);
+ hostname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
}
Index: openssh/auth2-hostbased.c
diff -u openssh/auth2-hostbased.c:1.3 openssh/auth2-hostbased.c:1.4
--- openssh/auth2-hostbased.c:1.3 Wed May 14 05:40:07 2003
+++ openssh/auth2-hostbased.c Tue Jun 3 02:25:48 2003
@@ -136,7 +136,7 @@
HostStatus host_status;
int len;
- resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
+ resolvedname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
Index: openssh/auth-passwd.c
diff -u openssh/auth-passwd.c:1.53 openssh/auth-passwd.c:1.54
--- openssh/auth-passwd.c:1.53 Sat May 10 11:28:02 2003
+++ openssh/auth-passwd.c Tue Jun 3 02:25:48 2003
@@ -144,22 +144,24 @@
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
- return 0;
+ return (0);
cygwin_set_impersonation_token(hToken);
- return 1;
+ return (1);
}
# endif
# ifdef WITH_AIXAUTHENTICATE
authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
- if (authsuccess)
+ if (authsuccess) {
/* We don't have a pty yet, so just label the line as "ssh" */
if (loginsuccess(authctxt->user,
- get_canonical_hostname(options.verify_reverse_mapping),
- "ssh", &aixloginmsg) < 0)
- aixloginmsg = NULL;
+ get_canonical_hostname(options.use_dns),
+ "ssh", &aixloginmsg) < 0) {
+ aixloginmsg = NULL;
+ }
+ }
- return(authsuccess);
+ return (authsuccess);
# endif
# ifdef KRB4
if (options.kerberos_authentication == 1) {
Index: openssh/auth-pam.c
diff -u openssh/auth-pam.c:1.63 openssh/auth-pam.c:1.64 (edited)
--- openssh/auth-pam.c:1.63 Mon Jun 2 03:04:39 2003
+++ openssh/auth-pam.c Tue Jun 3 02:25:48 2003
@@ -381,3 +381,3 @@
- rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
+ rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
debug("PAM setting rhost to \"%.200s\"", rhost);
Index: openssh/canohost.c
diff -u openssh/canohost.c:1.34 openssh/canohost.c:1.38 (edited)
--- openssh/canohost.c:1.34 Wed Apr 9 12:59:48 2003
+++ openssh/canohost.c Thu Jun 5 01:52:42 2003
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.35 2002/11/26 02:38:54 stevesk Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -27,7 +27,7 @@
*/
static char *
-get_remote_hostname(int socket, int verify_reverse_mapping)
+get_remote_hostname(int socket, int use_dns)
{
struct sockaddr_storage from;
int i;
@@ -72,6 +72,9 @@
NULL, 0, NI_NUMERICHOST) != 0)
fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
+ if (!use_dns)
+ return xstrdup(ntop);
+
if (from.ss_family == AF_INET)
check_ip_options(socket, ntop);
@@ -80,14 +83,24 @@
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
-#if 0
- log("Could not reverse map address %.100s.", ntop);
-#endif
return xstrdup(ntop);
}
- /* Got host name. */
- name[sizeof(name) - 1] = '\0';
+ /*
+ * if reverse lookup result looks like a numeric hostname,
+ * someone is trying to trick us by PTR record like following:
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+ hints.ai_flags = AI_NUMERICHOST;
+ if (getaddrinfo(name, "0", &hints, &ai) == 0) {
+ log("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
+ return xstrdup(ntop);
+ }
+
/*
* Convert it to all lowercase (which is expected by the rest
* of this software).
@@ -95,9 +108,6 @@
for (i = 0; name[i]; i++)
if (isupper(name[i]))
name[i] = tolower(name[i]);
-
- if (!verify_reverse_mapping)
- return xstrdup(name);
/*
* Map it back to an IP address and check that the given
* address actually is an address of this host. This is
@@ -180,14 +190,14 @@
*/
const char *
-get_canonical_hostname(int verify_reverse_mapping)
+get_canonical_hostname(int use_dns)
{
static char *canonical_host_name = NULL;
- static int verify_reverse_mapping_done = 0;
+ static int use_dns_done = 0;
/* Check if we have previously retrieved name with same option. */
if (canonical_host_name != NULL) {
- if (verify_reverse_mapping_done != verify_reverse_mapping)
+ if (use_dns_done != use_dns)
xfree(canonical_host_name);
else
return canonical_host_name;
@@ -196,11 +206,11 @@
/* Get the real hostname if socket; otherwise return UNKNOWN. */
if (packet_connection_is_on_socket())
canonical_host_name = get_remote_hostname(
- packet_get_connection_in(), verify_reverse_mapping);
+ packet_get_connection_in(), use_dns);
else
canonical_host_name = xstrdup("UNKNOWN");
- verify_reverse_mapping_done = verify_reverse_mapping;
+ use_dns_done = use_dns;
return canonical_host_name;
}
@@ -294,11 +304,11 @@
}
const char *
-get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
+get_remote_name_or_ip(u_int utmp_len, int use_dns)
{
static const char *remote = "";
if (utmp_len > 0)
- remote = get_canonical_hostname(verify_reverse_mapping);
+ remote = get_canonical_hostname(use_dns);
if (utmp_len == 0 || strlen(remote) > utmp_len)
remote = get_remote_ipaddr();
return remote;
Index: openssh/monitor.c
diff -u openssh/monitor.c:1.47 openssh/monitor.c:1.48
--- openssh/monitor.c:1.47 Sun May 25 06:38:33 2003
+++ openssh/monitor.c Tue Jun 3 02:25:48 2003
@@ -1157,7 +1157,7 @@
}
/* Record that there was a login on that tty from the remote host. */
record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
- get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+ get_remote_name_or_ip(utmp_len, options.use_dns),
(struct sockaddr *)&from, fromlen);
}
Index: openssh/servconf.c
diff -u openssh/servconf.c:1.106 openssh/servconf.c:1.107
--- openssh/servconf.c:1.106 Fri May 16 03:42:35 2003
+++ openssh/servconf.c Tue Jun 3 02:25:48 2003
@@ -116,7 +116,7 @@
options->max_startups_rate = -1;
options->max_startups = -1;
options->banner = NULL;
- options->verify_reverse_mapping = -1;
+ options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
@@ -232,8 +232,8 @@
options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups;
- if (options->verify_reverse_mapping == -1)
- options->verify_reverse_mapping = 0;
+ if (options->use_dns == -1)
+ options->use_dns = 1;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
@@ -282,7 +282,7 @@
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
- sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
+ sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sUsePrivilegeSeparation,
@@ -366,8 +366,9 @@
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
{ "banner", sBanner },
- { "verifyreversemapping", sVerifyReverseMapping },
- { "reversemappingcheck", sVerifyReverseMapping },
+ { "usedns", sUseDNS },
+ { "verifyreversemapping", sDeprecated },
+ { "reversemappingcheck", sDeprecated },
{ "clientaliveinterval", sClientAliveInterval },
{ "clientalivecountmax", sClientAliveCountMax },
{ "authorizedkeysfile", sAuthorizedKeysFile },
@@ -723,8 +724,8 @@
intptr = &options->gateway_ports;
goto parse_flag;
- case sVerifyReverseMapping:
- intptr = &options->verify_reverse_mapping;
+ case sUseDNS:
+ intptr = &options->use_dns;
goto parse_flag;
case sLogFacility:
Index: openssh/servconf.h
diff -u openssh/servconf.h:1.52 openssh/servconf.h:1.53
--- openssh/servconf.h:1.52 Thu May 15 04:05:29 2003
+++ openssh/servconf.h Tue Jun 3 02:25:48 2003
@@ -112,7 +112,7 @@
int max_startups_rate;
int max_startups;
char *banner; /* SSH-2 banner message */
- int verify_reverse_mapping; /* cross-check ip and dns */
+ int use_dns;
int client_alive_interval; /*
* poke the client this often to
* see if it's still there
Index: openssh/session.c
diff -u openssh/session.c:1.237 openssh/session.c:1.238
--- openssh/session.c:1.237 Thu May 15 02:20:14 2003
+++ openssh/session.c Tue Jun 3 02:25:48 2003
@@ -694,7 +694,7 @@
}
record_utmp_only(pid, s->tty, s->pw->pw_name,
- get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+ get_remote_name_or_ip(utmp_len, options.use_dns),
(struct sockaddr *)&from, fromlen);
}
#endif
@@ -749,7 +749,7 @@
if (!use_privsep)
record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
get_remote_name_or_ip(utmp_len,
- options.verify_reverse_mapping),
+ options.use_dns),
(struct sockaddr *)&from, fromlen);
#ifdef USE_PAM
@@ -1353,7 +1353,7 @@
/* we have to stash the hostname before we close our socket. */
if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len,
- options.verify_reverse_mapping);
+ options.use_dns);
/*
* Close the connection descriptors; note that this is the child, and
* the server will still have the socket open, and it is important
Index: openssh/sshd_config
diff -u openssh/sshd_config:1.57 openssh/sshd_config:1.58
--- openssh/sshd_config:1.57 Fri May 16 04:00:44 2003
+++ openssh/sshd_config Tue Jun 3 02:25:48 2003
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
+# $OpenBSD: sshd_config,v 1.60 2003/06/02 09:17:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -88,7 +88,7 @@
#MaxStartups 10
# no default banner path
#Banner /some/path
-#VerifyReverseMapping no
+#UseDNS yes
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
Index: openssh/sshd_config.5
diff -u openssh/sshd_config.5:1.18 openssh/sshd_config.5:1.19
--- openssh/sshd_config.5:1.18 Fri May 23 10:44:23 2003
+++ openssh/sshd_config.5 Tue Jun 3 02:25:48 2003
@@ -585,6 +585,14 @@
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
+.It Cm UseDNS
+Specifies whether
+.Nm sshd
+should lookup the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq yes .
.It Cm UseLogin
Specifies whether
.Xr login 1
@@ -622,14 +630,6 @@
escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
-.It Cm VerifyReverseMapping
-Specifies whether
-.Nm sshd
-should try to verify the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq no .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Nm sshd Ns 's