- (djm) OpenBSD CVS Sync

- markus@cvs.openbsd.org 2003/06/02 09:17:34 [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c] [canohost.c monitor.c servconf.c servconf.h session.c sshd_config] [sshd_config.5] deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@ - (djm) Fix portable-specific uses of verify_reverse_mapping too
2003-06-03 10:25:48 +10:00 · 2003-06-03 10:25:48 +10:00 · 3a961dc0d3
--- a/13
+++ b/13
@ -1,6 +1,17 @@
 20030603
 - (djm) Replace setproctitle replacement with code derived from 
   UCB sendmail
 - (djm) OpenBSD CVS Sync
   - markus@cvs.openbsd.org 2003/06/02 09:17:34
     [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
     [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
     [sshd_config.5]
     deprecate VerifyReverseMapping since it's dangerous if combined
     with IP based access control as noted by Mike Harding; replace with
     a UseDNS option, UseDNS is on by default and includes the
     VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
     ok deraadt@, djm@
 - (djm) Fix portable-specific uses of verify_reverse_mapping too
 20030602
 - (djm) Fix segv from bad reordering in auth-pam.c
@ -1648,4 +1659,4 @@
     save auth method before monitor_reset_key_state(); bugzilla bug #284;
     ok provos@
-$Id: ChangeLog,v 1.2764 2003/06/03 00:14:28 djm Exp $
+$Id: ChangeLog,v 1.2765 2003/06/03 00:25:48 djm Exp $
--- a/auth-options.c
+++ b/auth-options.c
@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.27 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.28 2003/06/02 09:17:34 markus Exp $");
 #include "xmalloc.h"
 #include "match.h"
@ -173,7 +173,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			const char *remote_ip = get_remote_ipaddr();
 			const char *remote_host = get_canonical_hostname(
-			    options.verify_reverse_mapping);
+			    options.use_dns);
 			char *patterns = xmalloc(strlen(opts) + 1);
 			opts += strlen(cp);
--- a/auth-pam.c
+++ b/auth-pam.c
@ -31,7 +31,7 @@
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.63 2003/06/02 01:04:39 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.64 2003/06/03 00:25:48 djm Exp $");
 #ifdef USE_PAM
 #include <security/pam_appl.h>
@ -299,8 +299,7 @@ sshpam_init(const char *user)
 		sshpam_handle = NULL;
 		return (-1);
 	}
-	pam_rhost = get_remote_name_or_ip(utmp_len,
+	pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
 	    options.verify_reverse_mapping);
 	debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
 	sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
 	if (sshpam_err != PAM_SUCCESS) {
--- a/auth-passwd.c
+++ b/auth-passwd.c
@ -144,22 +144,24 @@ auth_password(Authctxt *authctxt, const char *password)
 		HANDLE hToken = cygwin_logon_user(pw, password);
 		if (hToken == INVALID_HANDLE_VALUE)
-			return 0;
+			return (0);
 		cygwin_set_impersonation_token(hToken);
-		return 1;
+		return (1);
 	}
 # endif
 # ifdef WITH_AIXAUTHENTICATE
 	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
-	if (authsuccess)
+	if (authsuccess) {
 	        /* We don't have a pty yet, so just label the line as "ssh" */
 	        if (loginsuccess(authctxt->user,
-			get_canonical_hostname(options.verify_reverse_mapping),
+		    get_canonical_hostname(options.use_dns),
-			"ssh", &aixloginmsg) < 0)
+		    "ssh", &aixloginmsg) < 0) {
-				aixloginmsg = NULL;
+			aixloginmsg = NULL;
 		}
 	}
-	return(authsuccess);
+	return (authsuccess);
 # endif
 # ifdef KRB4
 	if (options.kerberos_authentication == 1) {
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.35 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $");
 #include "packet.h"
 #include "uidswap.h"
@ -63,7 +63,7 @@ auth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key)
 	    client_host_key->rsa == NULL)
 		return 0;
-	chost = (char *)get_canonical_hostname(options.verify_reverse_mapping);
+	chost = (char *)get_canonical_hostname(options.use_dns);
 	debug("Rhosts RSA authentication: canonical host %.900s", chost);
 	if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@ -14,7 +14,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.30 2003/05/17 03:25:58 itojun Exp $");
+RCSID("$OpenBSD: auth-rhosts.c,v 1.31 2003/06/02 09:17:34 markus Exp $");
 #include "packet.h"
 #include "uidswap.h"
@ -156,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user)
 {
 	const char *hostname, *ipaddr;
-	hostname = get_canonical_hostname(options.verify_reverse_mapping);
+	hostname = get_canonical_hostname(options.use_dns);
 	ipaddr = get_remote_ipaddr();
 	return auth_rhosts2(pw, client_user, hostname, ipaddr);
 }
--- a/auth-sia.c
+++ b/auth-sia.c
@ -52,7 +52,7 @@ auth_sia_password(Authctxt *authctxt, char *pass)
 	SIAENTITY *ent = NULL;
 	const char *host;
-	host = get_canonical_hostname(options.verify_reverse_mapping);
+	host = get_canonical_hostname(options.use_dns);
 	if (!authctxt->user || pass == NULL || pass[0] == '\0')
 		return (0);
@ -81,7 +81,7 @@ session_setup_sia(struct passwd *pw, char *tty)
 	SIAENTITY *ent = NULL;
 	const char *host;
-	host = get_canonical_hostname(options.verify_reverse_mapping);
+	host = get_canonical_hostname(options.use_dns);
 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, 
 	    tty, 0, NULL) != SIASUCCESS)
--- a/auth.c
+++ b/auth.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.47 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $");
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@ -141,7 +141,7 @@ allowed_user(struct passwd * pw)
 	}
 	if (options.num_deny_users > 0 || options.num_allow_users > 0) {
-		hostname = get_canonical_hostname(options.verify_reverse_mapping);
+		hostname = get_canonical_hostname(options.use_dns);
 		ipaddr = get_remote_ipaddr();
 	}
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-hostbased.c,v 1.3 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth2-hostbased.c,v 1.4 2003/06/02 09:17:34 markus Exp $");
 #include "ssh2.h"
 #include "xmalloc.h"
@ -136,7 +136,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
 	HostStatus host_status;
 	int len;
-	resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
+	resolvedname = get_canonical_hostname(options.use_dns);
 	ipaddr = get_remote_ipaddr();
 	debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
--- a/canohost.c
+++ b/canohost.c
@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.36 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $");
 #include "packet.h"
 #include "xmalloc.h"
@ -27,7 +27,7 @@ static void check_ip_options(int, char *);
 */
 static char *
-get_remote_hostname(int socket, int verify_reverse_mapping)
+get_remote_hostname(int socket, int use_dns)
 {
 	struct sockaddr_storage from;
 	int i;
@ -72,6 +72,9 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
 	    NULL, 0, NI_NUMERICHOST) != 0)
 		fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
 	if (!use_dns)
 		return xstrdup(ntop);
 	if (from.ss_family == AF_INET)
 		check_ip_options(socket, ntop);
@ -80,14 +83,24 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
 	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
 	    NULL, 0, NI_NAMEREQD) != 0) {
 		/* Host name not found.  Use ip address. */
 #if 0
 		logit("Could not reverse map address %.100s.", ntop);
 #endif
 		return xstrdup(ntop);
 	}
-	/* Got host name. */
+	/*
-	name[sizeof(name) - 1] = '\0';
+	 * if reverse lookup result looks like a numeric hostname,
 	 * someone is trying to trick us by PTR record like following:
 	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
 	 */
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
 	hints.ai_flags = AI_NUMERICHOST;
 	if (getaddrinfo(name, "0", &hints, &ai) == 0) {
 		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
 		    name, ntop);
 		freeaddrinfo(ai);
 		return xstrdup(ntop);
 	}
 	/*
 	 * Convert it to all lowercase (which is expected by the rest
 	 * of this software).
@ -95,9 +108,6 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
 	for (i = 0; name[i]; i++)
 		if (isupper(name[i]))
 			name[i] = tolower(name[i]);
 	if (!verify_reverse_mapping)
 		return xstrdup(name);
 	/*
 	 * Map it back to an IP address and check that the given
 	 * address actually is an address of this host.  This is
@ -180,14 +190,14 @@ check_ip_options(int socket, char *ipaddr)
 */
 const char *
-get_canonical_hostname(int verify_reverse_mapping)
+get_canonical_hostname(int use_dns)
 {
 	static char *canonical_host_name = NULL;
-	static int verify_reverse_mapping_done = 0;
+	static int use_dns_done = 0;
 	/* Check if we have previously retrieved name with same option. */
 	if (canonical_host_name != NULL) {
-		if (verify_reverse_mapping_done != verify_reverse_mapping)
+		if (use_dns_done != use_dns)
 			xfree(canonical_host_name);
 		else
 			return canonical_host_name;
@ -196,11 +206,11 @@ get_canonical_hostname(int verify_reverse_mapping)
 	/* Get the real hostname if socket; otherwise return UNKNOWN. */
 	if (packet_connection_is_on_socket())
 		canonical_host_name = get_remote_hostname(
-		    packet_get_connection_in(), verify_reverse_mapping);
+		    packet_get_connection_in(), use_dns);
 	else
 		canonical_host_name = xstrdup("UNKNOWN");
-	verify_reverse_mapping_done = verify_reverse_mapping;
+	use_dns_done = use_dns;
 	return canonical_host_name;
 }
@ -294,11 +304,11 @@ get_remote_ipaddr(void)
 }
 const char *
-get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
+get_remote_name_or_ip(u_int utmp_len, int use_dns)
 {
 	static const char *remote = "";
 	if (utmp_len > 0)
-		remote = get_canonical_hostname(verify_reverse_mapping);
+		remote = get_canonical_hostname(use_dns);
 	if (utmp_len == 0 || strlen(remote) > utmp_len)
 		remote = get_remote_ipaddr();
 	return remote;
--- a/monitor.c
+++ b/monitor.c
@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.41 2003/05/24 09:30:40 djm Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.42 2003/06/02 09:17:34 markus Exp $");
 #include <openssl/dh.h>
@ -1157,7 +1157,7 @@ mm_record_login(Session *s, struct passwd *pw)
 	}
 	/* Record that there was a login on that tty from the remote host. */
 	record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
-	    get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+	    get_remote_name_or_ip(utmp_len, options.use_dns),
 	    (struct sockaddr *)&from, fromlen);
 }
--- a/servconf.c
+++ b/servconf.c
@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.121 2003/05/15 14:02:47 jakob Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $");
 #if defined(KRB4)
 #include <krb.h>
@ -116,7 +116,7 @@ initialize_server_options(ServerOptions *options)
 	options->max_startups_rate = -1;
 	options->max_startups = -1;
 	options->banner = NULL;
-	options->verify_reverse_mapping = -1;
+	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
 	options->authorized_keys_file = NULL;
@ -232,8 +232,8 @@ fill_default_server_options(ServerOptions *options)
 		options->max_startups_rate = 100;		/* 100% */
 	if (options->max_startups_begin == -1)
 		options->max_startups_begin = options->max_startups;
-	if (options->verify_reverse_mapping == -1)
+	if (options->use_dns == -1)
-		options->verify_reverse_mapping = 0;
+		options->use_dns = 1;
 	if (options->client_alive_interval == -1)
 		options->client_alive_interval = 0;
 	if (options->client_alive_count_max == -1)
@ -282,7 +282,7 @@ typedef enum {
 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
-	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
+	sBanner, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sUsePrivilegeSeparation,
@ -366,8 +366,9 @@ static struct {
 	{ "subsystem", sSubsystem },
 	{ "maxstartups", sMaxStartups },
 	{ "banner", sBanner },
-	{ "verifyreversemapping", sVerifyReverseMapping },
+	{ "usedns", sUseDNS },
-	{ "reversemappingcheck", sVerifyReverseMapping },
+	{ "verifyreversemapping", sDeprecated },
 	{ "reversemappingcheck", sDeprecated },
 	{ "clientaliveinterval", sClientAliveInterval },
 	{ "clientalivecountmax", sClientAliveCountMax },
 	{ "authorizedkeysfile", sAuthorizedKeysFile },
@ -723,8 +724,8 @@ parse_flag:
 		intptr = &options->gateway_ports;
 		goto parse_flag;
-	case sVerifyReverseMapping:
+	case sUseDNS:
-		intptr = &options->verify_reverse_mapping;
+		intptr = &options->use_dns;
 		goto parse_flag;
 	case sLogFacility:
--- a/servconf.h
+++ b/servconf.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: servconf.h,v 1.60 2003/05/15 01:48:10 jakob Exp $	*/
+/*	$OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $	*/
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -112,7 +112,7 @@ typedef struct {
 	int	max_startups_rate;
 	int	max_startups;
 	char   *banner;			/* SSH-2 banner message */
-	int	verify_reverse_mapping;	/* cross-check ip and dns */
+	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
 					 * see if it's still there
--- a/session.c
+++ b/session.c
@ -33,7 +33,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.157 2003/05/14 22:24:42 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@ -694,7 +694,7 @@ do_pre_login(Session *s)
 	}
 	record_utmp_only(pid, s->tty, s->pw->pw_name,
-	    get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+	    get_remote_name_or_ip(utmp_len, options.use_dns),
 	    (struct sockaddr *)&from, fromlen);
 }
 #endif
@ -749,7 +749,7 @@ do_login(Session *s, const char *command)
 	if (!use_privsep)
 		record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
 		    get_remote_name_or_ip(utmp_len,
-		    options.verify_reverse_mapping),
+		    options.use_dns),
 		    (struct sockaddr *)&from, fromlen);
 #ifdef USE_PAM
@ -1353,7 +1353,7 @@ do_child(Session *s, const char *command)
 	/* we have to stash the hostname before we close our socket. */
 	if (options.use_login)
 		hostname = get_remote_name_or_ip(utmp_len,
-		    options.verify_reverse_mapping);
+		    options.use_dns);
 	/*
 	 * Close the connection descriptors; note that this is the child, and
 	 * the server will still have the socket open, and it is important
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
+#	$OpenBSD: sshd_config,v 1.60 2003/06/02 09:17:34 markus Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@ -88,7 +88,7 @@
 #MaxStartups 10
 # no default banner path
 #Banner /some/path
-#VerifyReverseMapping no
+#UseDNS yes
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
--- a/sshd_config.5
+++ b/sshd_config.5
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.17 2003/05/20 12:09:32 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.18 2003/06/02 09:17:34 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@ -585,6 +585,14 @@ Gives the facility code that is used when logging messages from
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm UseDNS
 Specifies whether
 .Nm sshd
 should lookup the remote host name and check that
 the resolved host name for the remote IP address maps back to the
 very same IP address.
 The default is
 .Dq yes .
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
@ -622,14 +630,6 @@ The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
 .Dq yes .
 .It Cm VerifyReverseMapping
 Specifies whether
 .Nm sshd
 should try to verify the remote host name and check that
 the resolved host name for the remote IP address maps back to the
 very same IP address.
 The default is
 .Dq no .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's