- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/06/02 09:17:34
[auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
[canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
[sshd_config.5]
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@
- (djm) Fix portable-specific uses of verify_reverse_mapping too
diff --git a/ChangeLog b/ChangeLog
index ada1bd2..6627ec3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,17 @@
20030603
- (djm) Replace setproctitle replacement with code derived from
UCB sendmail
+ - (djm) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2003/06/02 09:17:34
+ [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
+ [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
+ [sshd_config.5]
+ deprecate VerifyReverseMapping since it's dangerous if combined
+ with IP based access control as noted by Mike Harding; replace with
+ a UseDNS option, UseDNS is on by default and includes the
+ VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
+ ok deraadt@, djm@
+ - (djm) Fix portable-specific uses of verify_reverse_mapping too
20030602
- (djm) Fix segv from bad reordering in auth-pam.c
@@ -1648,4 +1659,4 @@
save auth method before monitor_reset_key_state(); bugzilla bug #284;
ok provos@
-$Id: ChangeLog,v 1.2764 2003/06/03 00:14:28 djm Exp $
+$Id: ChangeLog,v 1.2765 2003/06/03 00:25:48 djm Exp $
diff --git a/auth-options.c b/auth-options.c
index d8976b1..0e146ab 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.27 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.28 2003/06/02 09:17:34 markus Exp $");
#include "xmalloc.h"
#include "match.h"
@@ -173,7 +173,7 @@
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
const char *remote_ip = get_remote_ipaddr();
const char *remote_host = get_canonical_hostname(
- options.verify_reverse_mapping);
+ options.use_dns);
char *patterns = xmalloc(strlen(opts) + 1);
opts += strlen(cp);
diff --git a/auth-pam.c b/auth-pam.c
index b838164..057164a 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.63 2003/06/02 01:04:39 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.64 2003/06/03 00:25:48 djm Exp $");
#ifdef USE_PAM
#include <security/pam_appl.h>
@@ -299,8 +299,7 @@
sshpam_handle = NULL;
return (-1);
}
- pam_rhost = get_remote_name_or_ip(utmp_len,
- options.verify_reverse_mapping);
+ pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
if (sshpam_err != PAM_SUCCESS) {
diff --git a/auth-passwd.c b/auth-passwd.c
index b893165..9a94c37 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -144,22 +144,24 @@
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
- return 0;
+ return (0);
cygwin_set_impersonation_token(hToken);
- return 1;
+ return (1);
}
# endif
# ifdef WITH_AIXAUTHENTICATE
authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
- if (authsuccess)
+ if (authsuccess) {
/* We don't have a pty yet, so just label the line as "ssh" */
if (loginsuccess(authctxt->user,
- get_canonical_hostname(options.verify_reverse_mapping),
- "ssh", &aixloginmsg) < 0)
- aixloginmsg = NULL;
+ get_canonical_hostname(options.use_dns),
+ "ssh", &aixloginmsg) < 0) {
+ aixloginmsg = NULL;
+ }
+ }
- return(authsuccess);
+ return (authsuccess);
# endif
# ifdef KRB4
if (options.kerberos_authentication == 1) {
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index 4d6f0d2..2eb7e6e 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.35 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $");
#include "packet.h"
#include "uidswap.h"
@@ -63,7 +63,7 @@
client_host_key->rsa == NULL)
return 0;
- chost = (char *)get_canonical_hostname(options.verify_reverse_mapping);
+ chost = (char *)get_canonical_hostname(options.use_dns);
debug("Rhosts RSA authentication: canonical host %.900s", chost);
if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
diff --git a/auth-rhosts.c b/auth-rhosts.c
index a384781..b42a64c 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.30 2003/05/17 03:25:58 itojun Exp $");
+RCSID("$OpenBSD: auth-rhosts.c,v 1.31 2003/06/02 09:17:34 markus Exp $");
#include "packet.h"
#include "uidswap.h"
@@ -156,7 +156,7 @@
{
const char *hostname, *ipaddr;
- hostname = get_canonical_hostname(options.verify_reverse_mapping);
+ hostname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
return auth_rhosts2(pw, client_user, hostname, ipaddr);
}
diff --git a/auth-sia.c b/auth-sia.c
index 05cf47c..cae5f09 100644
--- a/auth-sia.c
+++ b/auth-sia.c
@@ -52,7 +52,7 @@
SIAENTITY *ent = NULL;
const char *host;
- host = get_canonical_hostname(options.verify_reverse_mapping);
+ host = get_canonical_hostname(options.use_dns);
if (!authctxt->user || pass == NULL || pass[0] == '\0')
return (0);
@@ -81,7 +81,7 @@
SIAENTITY *ent = NULL;
const char *host;
- host = get_canonical_hostname(options.verify_reverse_mapping);
+ host = get_canonical_hostname(options.use_dns);
if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
tty, 0, NULL) != SIASUCCESS)
diff --git a/auth.c b/auth.c
index 8b58cc6..6b48add 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.47 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
@@ -141,7 +141,7 @@
}
if (options.num_deny_users > 0 || options.num_allow_users > 0) {
- hostname = get_canonical_hostname(options.verify_reverse_mapping);
+ hostname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
}
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index f8b4ae8..bbc7d8a 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2-hostbased.c,v 1.3 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth2-hostbased.c,v 1.4 2003/06/02 09:17:34 markus Exp $");
#include "ssh2.h"
#include "xmalloc.h"
@@ -136,7 +136,7 @@
HostStatus host_status;
int len;
- resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
+ resolvedname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
diff --git a/canohost.c b/canohost.c
index 417d95c..533f2c2 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.36 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -27,7 +27,7 @@
*/
static char *
-get_remote_hostname(int socket, int verify_reverse_mapping)
+get_remote_hostname(int socket, int use_dns)
{
struct sockaddr_storage from;
int i;
@@ -72,6 +72,9 @@
NULL, 0, NI_NUMERICHOST) != 0)
fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
+ if (!use_dns)
+ return xstrdup(ntop);
+
if (from.ss_family == AF_INET)
check_ip_options(socket, ntop);
@@ -80,14 +83,24 @@
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
-#if 0
- logit("Could not reverse map address %.100s.", ntop);
-#endif
return xstrdup(ntop);
}
- /* Got host name. */
- name[sizeof(name) - 1] = '\0';
+ /*
+ * if reverse lookup result looks like a numeric hostname,
+ * someone is trying to trick us by PTR record like following:
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+ hints.ai_flags = AI_NUMERICHOST;
+ if (getaddrinfo(name, "0", &hints, &ai) == 0) {
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
+ return xstrdup(ntop);
+ }
+
/*
* Convert it to all lowercase (which is expected by the rest
* of this software).
@@ -95,9 +108,6 @@
for (i = 0; name[i]; i++)
if (isupper(name[i]))
name[i] = tolower(name[i]);
-
- if (!verify_reverse_mapping)
- return xstrdup(name);
/*
* Map it back to an IP address and check that the given
* address actually is an address of this host. This is
@@ -180,14 +190,14 @@
*/
const char *
-get_canonical_hostname(int verify_reverse_mapping)
+get_canonical_hostname(int use_dns)
{
static char *canonical_host_name = NULL;
- static int verify_reverse_mapping_done = 0;
+ static int use_dns_done = 0;
/* Check if we have previously retrieved name with same option. */
if (canonical_host_name != NULL) {
- if (verify_reverse_mapping_done != verify_reverse_mapping)
+ if (use_dns_done != use_dns)
xfree(canonical_host_name);
else
return canonical_host_name;
@@ -196,11 +206,11 @@
/* Get the real hostname if socket; otherwise return UNKNOWN. */
if (packet_connection_is_on_socket())
canonical_host_name = get_remote_hostname(
- packet_get_connection_in(), verify_reverse_mapping);
+ packet_get_connection_in(), use_dns);
else
canonical_host_name = xstrdup("UNKNOWN");
- verify_reverse_mapping_done = verify_reverse_mapping;
+ use_dns_done = use_dns;
return canonical_host_name;
}
@@ -294,11 +304,11 @@
}
const char *
-get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
+get_remote_name_or_ip(u_int utmp_len, int use_dns)
{
static const char *remote = "";
if (utmp_len > 0)
- remote = get_canonical_hostname(verify_reverse_mapping);
+ remote = get_canonical_hostname(use_dns);
if (utmp_len == 0 || strlen(remote) > utmp_len)
remote = get_remote_ipaddr();
return remote;
diff --git a/monitor.c b/monitor.c
index 3b7a6f8..707d314 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.41 2003/05/24 09:30:40 djm Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.42 2003/06/02 09:17:34 markus Exp $");
#include <openssl/dh.h>
@@ -1157,7 +1157,7 @@
}
/* Record that there was a login on that tty from the remote host. */
record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
- get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+ get_remote_name_or_ip(utmp_len, options.use_dns),
(struct sockaddr *)&from, fromlen);
}
diff --git a/servconf.c b/servconf.c
index a737f4b..c501d7b 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.121 2003/05/15 14:02:47 jakob Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $");
#if defined(KRB4)
#include <krb.h>
@@ -116,7 +116,7 @@
options->max_startups_rate = -1;
options->max_startups = -1;
options->banner = NULL;
- options->verify_reverse_mapping = -1;
+ options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
@@ -232,8 +232,8 @@
options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups;
- if (options->verify_reverse_mapping == -1)
- options->verify_reverse_mapping = 0;
+ if (options->use_dns == -1)
+ options->use_dns = 1;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
@@ -282,7 +282,7 @@
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
- sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
+ sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sUsePrivilegeSeparation,
@@ -366,8 +366,9 @@
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
{ "banner", sBanner },
- { "verifyreversemapping", sVerifyReverseMapping },
- { "reversemappingcheck", sVerifyReverseMapping },
+ { "usedns", sUseDNS },
+ { "verifyreversemapping", sDeprecated },
+ { "reversemappingcheck", sDeprecated },
{ "clientaliveinterval", sClientAliveInterval },
{ "clientalivecountmax", sClientAliveCountMax },
{ "authorizedkeysfile", sAuthorizedKeysFile },
@@ -723,8 +724,8 @@
intptr = &options->gateway_ports;
goto parse_flag;
- case sVerifyReverseMapping:
- intptr = &options->verify_reverse_mapping;
+ case sUseDNS:
+ intptr = &options->use_dns;
goto parse_flag;
case sLogFacility:
diff --git a/servconf.h b/servconf.h
index 4ad1ee7..b676f2b 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.60 2003/05/15 01:48:10 jakob Exp $ */
+/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -112,7 +112,7 @@
int max_startups_rate;
int max_startups;
char *banner; /* SSH-2 banner message */
- int verify_reverse_mapping; /* cross-check ip and dns */
+ int use_dns;
int client_alive_interval; /*
* poke the client this often to
* see if it's still there
diff --git a/session.c b/session.c
index 796c517..dc9777d 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.157 2003/05/14 22:24:42 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -694,7 +694,7 @@
}
record_utmp_only(pid, s->tty, s->pw->pw_name,
- get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+ get_remote_name_or_ip(utmp_len, options.use_dns),
(struct sockaddr *)&from, fromlen);
}
#endif
@@ -749,7 +749,7 @@
if (!use_privsep)
record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
get_remote_name_or_ip(utmp_len,
- options.verify_reverse_mapping),
+ options.use_dns),
(struct sockaddr *)&from, fromlen);
#ifdef USE_PAM
@@ -1353,7 +1353,7 @@
/* we have to stash the hostname before we close our socket. */
if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len,
- options.verify_reverse_mapping);
+ options.use_dns);
/*
* Close the connection descriptors; note that this is the child, and
* the server will still have the socket open, and it is important
diff --git a/sshd_config b/sshd_config
index 78fc67c..c93396b 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
+# $OpenBSD: sshd_config,v 1.60 2003/06/02 09:17:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -88,7 +88,7 @@
#MaxStartups 10
# no default banner path
#Banner /some/path
-#VerifyReverseMapping no
+#UseDNS yes
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
diff --git a/sshd_config.5 b/sshd_config.5
index 86b3289..0c6108e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.17 2003/05/20 12:09:32 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.18 2003/06/02 09:17:34 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@@ -585,6 +585,14 @@
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
+.It Cm UseDNS
+Specifies whether
+.Nm sshd
+should lookup the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq yes .
.It Cm UseLogin
Specifies whether
.Xr login 1
@@ -622,14 +630,6 @@
escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
-.It Cm VerifyReverseMapping
-Specifies whether
-.Nm sshd
-should try to verify the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq no .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Nm sshd Ns 's