diff options
| author | Damien Miller <djm@mindrot.org> | 2003-06-03 10:25:48 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2003-06-03 10:25:48 +1000 |
| commit | 3a961dc0d36c1f87788b707130f6d07709822d38 (patch) | |
| tree | 57f3a729408e4cbe08fa7f9699de2e583e0b2ca0 | |
| parent | 35276253a60a3e57ec21b82b2e3c81e03c0206de (diff) | |
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/06/02 09:17:34
[auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
[canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
[sshd_config.5]
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@
- (djm) Fix portable-specific uses of verify_reverse_mapping too
| -rw-r--r-- | ChangeLog | 13 | ||||
| -rw-r--r-- | auth-options.c | 4 | ||||
| -rw-r--r-- | auth-pam.c | 5 | ||||
| -rw-r--r-- | auth-passwd.c | 16 | ||||
| -rw-r--r-- | auth-rh-rsa.c | 4 | ||||
| -rw-r--r-- | auth-rhosts.c | 4 | ||||
| -rw-r--r-- | auth-sia.c | 4 | ||||
| -rw-r--r-- | auth.c | 4 | ||||
| -rw-r--r-- | auth2-hostbased.c | 4 | ||||
| -rw-r--r-- | canohost.c | 44 | ||||
| -rw-r--r-- | monitor.c | 4 | ||||
| -rw-r--r-- | servconf.c | 19 | ||||
| -rw-r--r-- | servconf.h | 4 | ||||
| -rw-r--r-- | session.c | 8 | ||||
| -rw-r--r-- | sshd_config | 4 | ||||
| -rw-r--r-- | sshd_config.5 | 18 |
16 files changed, 91 insertions, 68 deletions
@@ -1,6 +1,17 @@ 20030603 - (djm) Replace setproctitle replacement with code derived from UCB sendmail + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/06/02 09:17:34 + [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c] + [canohost.c monitor.c servconf.c servconf.h session.c sshd_config] + [sshd_config.5] + deprecate VerifyReverseMapping since it's dangerous if combined + with IP based access control as noted by Mike Harding; replace with + a UseDNS option, UseDNS is on by default and includes the + VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ + ok deraadt@, djm@ + - (djm) Fix portable-specific uses of verify_reverse_mapping too 20030602 - (djm) Fix segv from bad reordering in auth-pam.c @@ -1648,4 +1659,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2764 2003/06/03 00:14:28 djm Exp $ +$Id: ChangeLog,v 1.2765 2003/06/03 00:25:48 djm Exp $ diff --git a/auth-options.c b/auth-options.c index d8976b17..0e146ab1 100644 --- a/auth-options.c +++ b/auth-options.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.27 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.28 2003/06/02 09:17:34 markus Exp $"); #include "xmalloc.h" #include "match.h" @@ -173,7 +173,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { const char *remote_ip = get_remote_ipaddr(); const char *remote_host = get_canonical_hostname( - options.verify_reverse_mapping); + options.use_dns); char *patterns = xmalloc(strlen(opts) + 1); opts += strlen(cp); @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.63 2003/06/02 01:04:39 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.64 2003/06/03 00:25:48 djm Exp $"); #ifdef USE_PAM #include <security/pam_appl.h> @@ -299,8 +299,7 @@ sshpam_init(const char *user) sshpam_handle = NULL; return (-1); } - pam_rhost = get_remote_name_or_ip(utmp_len, - options.verify_reverse_mapping); + pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns); debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); if (sshpam_err != PAM_SUCCESS) { diff --git a/auth-passwd.c b/auth-passwd.c index b893165b..9a94c373 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -144,22 +144,24 @@ auth_password(Authctxt *authctxt, const char *password) HANDLE hToken = cygwin_logon_user(pw, password); if (hToken == INVALID_HANDLE_VALUE) - return 0; + return (0); cygwin_set_impersonation_token(hToken); - return 1; + return (1); } # endif # ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); - if (authsuccess) + if (authsuccess) { /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh", &aixloginmsg) < 0) - aixloginmsg = NULL; + get_canonical_hostname(options.use_dns), + "ssh", &aixloginmsg) < 0) { + aixloginmsg = NULL; + } + } - return(authsuccess); + return (authsuccess); # endif # ifdef KRB4 if (options.kerberos_authentication == 1) { diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 4d6f0d23..2eb7e6e2 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.35 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $"); #include "packet.h" #include "uidswap.h" @@ -63,7 +63,7 @@ auth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key) client_host_key->rsa == NULL) return 0; - chost = (char *)get_canonical_hostname(options.verify_reverse_mapping); + chost = (char *)get_canonical_hostname(options.use_dns); debug("Rhosts RSA authentication: canonical host %.900s", chost); if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) { diff --git a/auth-rhosts.c b/auth-rhosts.c index a3847810..b42a64c9 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.30 2003/05/17 03:25:58 itojun Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.31 2003/06/02 09:17:34 markus Exp $"); #include "packet.h" #include "uidswap.h" @@ -156,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user) { const char *hostname, *ipaddr; - hostname = get_canonical_hostname(options.verify_reverse_mapping); + hostname = get_canonical_hostname(options.use_dns); ipaddr = get_remote_ipaddr(); return auth_rhosts2(pw, client_user, hostname, ipaddr); } @@ -52,7 +52,7 @@ auth_sia_password(Authctxt *authctxt, char *pass) SIAENTITY *ent = NULL; const char *host; - host = get_canonical_hostname(options.verify_reverse_mapping); + host = get_canonical_hostname(options.use_dns); if (!authctxt->user || pass == NULL || pass[0] == '\0') return (0); @@ -81,7 +81,7 @@ session_setup_sia(struct passwd *pw, char *tty) SIAENTITY *ent = NULL; const char *host; - host = get_canonical_hostname(options.verify_reverse_mapping); + host = get_canonical_hostname(options.use_dns); if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty, 0, NULL) != SIASUCCESS) @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.47 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $"); #ifdef HAVE_LOGIN_H #include <login.h> @@ -141,7 +141,7 @@ allowed_user(struct passwd * pw) } if (options.num_deny_users > 0 || options.num_allow_users > 0) { - hostname = get_canonical_hostname(options.verify_reverse_mapping); + hostname = get_canonical_hostname(options.use_dns); ipaddr = get_remote_ipaddr(); } diff --git a/auth2-hostbased.c b/auth2-hostbased.c index f8b4ae85..bbc7d8a4 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2-hostbased.c,v 1.3 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth2-hostbased.c,v 1.4 2003/06/02 09:17:34 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -136,7 +136,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, HostStatus host_status; int len; - resolvedname = get_canonical_hostname(options.verify_reverse_mapping); + resolvedname = get_canonical_hostname(options.use_dns); ipaddr = get_remote_ipaddr(); debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.36 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -27,7 +27,7 @@ static void check_ip_options(int, char *); */ static char * -get_remote_hostname(int socket, int verify_reverse_mapping) +get_remote_hostname(int socket, int use_dns) { struct sockaddr_storage from; int i; @@ -72,6 +72,9 @@ get_remote_hostname(int socket, int verify_reverse_mapping) NULL, 0, NI_NUMERICHOST) != 0) fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); + if (!use_dns) + return xstrdup(ntop); + if (from.ss_family == AF_INET) check_ip_options(socket, ntop); @@ -80,14 +83,24 @@ get_remote_hostname(int socket, int verify_reverse_mapping) if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), NULL, 0, NI_NAMEREQD) != 0) { /* Host name not found. Use ip address. */ -#if 0 - logit("Could not reverse map address %.100s.", ntop); -#endif return xstrdup(ntop); } - /* Got host name. */ - name[sizeof(name) - 1] = '\0'; + /* + * if reverse lookup result looks like a numeric hostname, + * someone is trying to trick us by PTR record like following: + * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 + */ + memset(&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; + if (getaddrinfo(name, "0", &hints, &ai) == 0) { + logit("Nasty PTR record \"%s\" is set up for %s, ignoring", + name, ntop); + freeaddrinfo(ai); + return xstrdup(ntop); + } + /* * Convert it to all lowercase (which is expected by the rest * of this software). @@ -95,9 +108,6 @@ get_remote_hostname(int socket, int verify_reverse_mapping) for (i = 0; name[i]; i++) if (isupper(name[i])) name[i] = tolower(name[i]); - - if (!verify_reverse_mapping) - return xstrdup(name); /* * Map it back to an IP address and check that the given * address actually is an address of this host. This is @@ -180,14 +190,14 @@ check_ip_options(int socket, char *ipaddr) */ const char * -get_canonical_hostname(int verify_reverse_mapping) +get_canonical_hostname(int use_dns) { static char *canonical_host_name = NULL; - static int verify_reverse_mapping_done = 0; + static int use_dns_done = 0; /* Check if we have previously retrieved name with same option. */ if (canonical_host_name != NULL) { - if (verify_reverse_mapping_done != verify_reverse_mapping) + if (use_dns_done != use_dns) xfree(canonical_host_name); else return canonical_host_name; @@ -196,11 +206,11 @@ get_canonical_hostname(int verify_reverse_mapping) /* Get the real hostname if socket; otherwise return UNKNOWN. */ if (packet_connection_is_on_socket()) canonical_host_name = get_remote_hostname( - packet_get_connection_in(), verify_reverse_mapping); + packet_get_connection_in(), use_dns); else canonical_host_name = xstrdup("UNKNOWN"); - verify_reverse_mapping_done = verify_reverse_mapping; + use_dns_done = use_dns; return canonical_host_name; } @@ -294,11 +304,11 @@ get_remote_ipaddr(void) } const char * -get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping) +get_remote_name_or_ip(u_int utmp_len, int use_dns) { static const char *remote = ""; if (utmp_len > 0) - remote = get_canonical_hostname(verify_reverse_mapping); + remote = get_canonical_hostname(use_dns); if (utmp_len == 0 || strlen(remote) > utmp_len) remote = get_remote_ipaddr(); return remote; @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.41 2003/05/24 09:30:40 djm Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.42 2003/06/02 09:17:34 markus Exp $"); #include <openssl/dh.h> @@ -1157,7 +1157,7 @@ mm_record_login(Session *s, struct passwd *pw) } /* Record that there was a login on that tty from the remote host. */ record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, - get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping), + get_remote_name_or_ip(utmp_len, options.use_dns), (struct sockaddr *)&from, fromlen); } @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.121 2003/05/15 14:02:47 jakob Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $"); #if defined(KRB4) #include <krb.h> @@ -116,7 +116,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_rate = -1; options->max_startups = -1; options->banner = NULL; - options->verify_reverse_mapping = -1; + options->use_dns = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; options->authorized_keys_file = NULL; @@ -232,8 +232,8 @@ fill_default_server_options(ServerOptions *options) options->max_startups_rate = 100; /* 100% */ if (options->max_startups_begin == -1) options->max_startups_begin = options->max_startups; - if (options->verify_reverse_mapping == -1) - options->verify_reverse_mapping = 0; + if (options->use_dns == -1) + options->use_dns = 1; if (options->client_alive_interval == -1) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) @@ -282,7 +282,7 @@ typedef enum { sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, - sBanner, sVerifyReverseMapping, sHostbasedAuthentication, + sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sUsePrivilegeSeparation, @@ -366,8 +366,9 @@ static struct { { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, { "banner", sBanner }, - { "verifyreversemapping", sVerifyReverseMapping }, - { "reversemappingcheck", sVerifyReverseMapping }, + { "usedns", sUseDNS }, + { "verifyreversemapping", sDeprecated }, + { "reversemappingcheck", sDeprecated }, { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, @@ -723,8 +724,8 @@ parse_flag: intptr = &options->gateway_ports; goto parse_flag; - case sVerifyReverseMapping: - intptr = &options->verify_reverse_mapping; + case sUseDNS: + intptr = &options->use_dns; goto parse_flag; case sLogFacility: @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.60 2003/05/15 01:48:10 jakob Exp $ */ +/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -112,7 +112,7 @@ typedef struct { int max_startups_rate; int max_startups; char *banner; /* SSH-2 banner message */ - int verify_reverse_mapping; /* cross-check ip and dns */ + int use_dns; int client_alive_interval; /* * poke the client this often to * see if it's still there @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.157 2003/05/14 22:24:42 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -694,7 +694,7 @@ do_pre_login(Session *s) } record_utmp_only(pid, s->tty, s->pw->pw_name, - get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping), + get_remote_name_or_ip(utmp_len, options.use_dns), (struct sockaddr *)&from, fromlen); } #endif @@ -749,7 +749,7 @@ do_login(Session *s, const char *command) if (!use_privsep) record_login(pid, s->tty, pw->pw_name, pw->pw_uid, get_remote_name_or_ip(utmp_len, - options.verify_reverse_mapping), + options.use_dns), (struct sockaddr *)&from, fromlen); #ifdef USE_PAM @@ -1353,7 +1353,7 @@ do_child(Session *s, const char *command) /* we have to stash the hostname before we close our socket. */ if (options.use_login) hostname = get_remote_name_or_ip(utmp_len, - options.verify_reverse_mapping); + options.use_dns); /* * Close the connection descriptors; note that this is the child, and * the server will still have the socket open, and it is important diff --git a/sshd_config b/sshd_config index 78fc67c2..c93396b5 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ +# $OpenBSD: sshd_config,v 1.60 2003/06/02 09:17:34 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -88,7 +88,7 @@ #MaxStartups 10 # no default banner path #Banner /some/path -#VerifyReverseMapping no +#UseDNS yes # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server diff --git a/sshd_config.5 b/sshd_config.5 index 86b3289a..0c6108e0 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.17 2003/05/20 12:09:32 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.18 2003/06/02 09:17:34 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -585,6 +585,14 @@ Gives the facility code that is used when logging messages from The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. +.It Cm UseDNS +Specifies whether +.Nm sshd +should lookup the remote host name and check that +the resolved host name for the remote IP address maps back to the +very same IP address. +The default is +.Dq yes . .It Cm UseLogin Specifies whether .Xr login 1 @@ -622,14 +630,6 @@ The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is .Dq yes . -.It Cm VerifyReverseMapping -Specifies whether -.Nm sshd -should try to verify the remote host name and check that -the resolved host name for the remote IP address maps back to the -very same IP address. -The default is -.Dq no . .It Cm X11DisplayOffset Specifies the first display number available for .Nm sshd Ns 's |