- markus@cvs.openbsd.org 2003/06/02 09:17:34
     [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
     [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
     [sshd_config.5]
     deprecate VerifyReverseMapping since it's dangerous if combined
     with IP based access control as noted by Mike Harding; replace with
     a UseDNS option, UseDNS is on by default and includes the
     VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
     ok deraadt@, djm@
 - (djm) Fix portable-specific uses of verify_reverse_mapping too
This commit is contained in:
Damien Miller 2003-06-03 10:25:48 +10:00
Родитель 35276253a6
Коммит 3a961dc0d3
16 изменённых файлов: 91 добавлений и 68 удалений

Просмотреть файл

@ -1,6 +1,17 @@
20030603
- (djm) Replace setproctitle replacement with code derived from
UCB sendmail
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/06/02 09:17:34
[auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
[canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
[sshd_config.5]
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@
- (djm) Fix portable-specific uses of verify_reverse_mapping too
20030602
- (djm) Fix segv from bad reordering in auth-pam.c
@ -1648,4 +1659,4 @@
save auth method before monitor_reset_key_state(); bugzilla bug #284;
ok provos@
$Id: ChangeLog,v 1.2764 2003/06/03 00:14:28 djm Exp $
$Id: ChangeLog,v 1.2765 2003/06/03 00:25:48 djm Exp $

Просмотреть файл

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-options.c,v 1.27 2003/04/08 20:21:28 itojun Exp $");
RCSID("$OpenBSD: auth-options.c,v 1.28 2003/06/02 09:17:34 markus Exp $");
#include "xmalloc.h"
#include "match.h"
@ -173,7 +173,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
const char *remote_ip = get_remote_ipaddr();
const char *remote_host = get_canonical_hostname(
options.verify_reverse_mapping);
options.use_dns);
char *patterns = xmalloc(strlen(opts) + 1);
opts += strlen(cp);

Просмотреть файл

@ -31,7 +31,7 @@
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h"
RCSID("$Id: auth-pam.c,v 1.63 2003/06/02 01:04:39 djm Exp $");
RCSID("$Id: auth-pam.c,v 1.64 2003/06/03 00:25:48 djm Exp $");
#ifdef USE_PAM
#include <security/pam_appl.h>
@ -299,8 +299,7 @@ sshpam_init(const char *user)
sshpam_handle = NULL;
return (-1);
}
pam_rhost = get_remote_name_or_ip(utmp_len,
options.verify_reverse_mapping);
pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
if (sshpam_err != PAM_SUCCESS) {

Просмотреть файл

@ -144,20 +144,22 @@ auth_password(Authctxt *authctxt, const char *password)
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
return 0;
return (0);
cygwin_set_impersonation_token(hToken);
return 1;
return (1);
}
# endif
# ifdef WITH_AIXAUTHENTICATE
authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
if (authsuccess)
if (authsuccess) {
/* We don't have a pty yet, so just label the line as "ssh" */
if (loginsuccess(authctxt->user,
get_canonical_hostname(options.verify_reverse_mapping),
"ssh", &aixloginmsg) < 0)
get_canonical_hostname(options.use_dns),
"ssh", &aixloginmsg) < 0) {
aixloginmsg = NULL;
}
}
return (authsuccess);
# endif

Просмотреть файл

@ -13,7 +13,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.35 2003/04/08 20:21:28 itojun Exp $");
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $");
#include "packet.h"
#include "uidswap.h"
@ -63,7 +63,7 @@ auth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key)
client_host_key->rsa == NULL)
return 0;
chost = (char *)get_canonical_hostname(options.verify_reverse_mapping);
chost = (char *)get_canonical_hostname(options.use_dns);
debug("Rhosts RSA authentication: canonical host %.900s", chost);
if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {

Просмотреть файл

@ -14,7 +14,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-rhosts.c,v 1.30 2003/05/17 03:25:58 itojun Exp $");
RCSID("$OpenBSD: auth-rhosts.c,v 1.31 2003/06/02 09:17:34 markus Exp $");
#include "packet.h"
#include "uidswap.h"
@ -156,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user)
{
const char *hostname, *ipaddr;
hostname = get_canonical_hostname(options.verify_reverse_mapping);
hostname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
return auth_rhosts2(pw, client_user, hostname, ipaddr);
}

Просмотреть файл

@ -52,7 +52,7 @@ auth_sia_password(Authctxt *authctxt, char *pass)
SIAENTITY *ent = NULL;
const char *host;
host = get_canonical_hostname(options.verify_reverse_mapping);
host = get_canonical_hostname(options.use_dns);
if (!authctxt->user || pass == NULL || pass[0] == '\0')
return (0);
@ -81,7 +81,7 @@ session_setup_sia(struct passwd *pw, char *tty)
SIAENTITY *ent = NULL;
const char *host;
host = get_canonical_hostname(options.verify_reverse_mapping);
host = get_canonical_hostname(options.use_dns);
if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
tty, 0, NULL) != SIASUCCESS)

4
auth.c
Просмотреть файл

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.47 2003/04/08 20:21:28 itojun Exp $");
RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
@ -141,7 +141,7 @@ allowed_user(struct passwd * pw)
}
if (options.num_deny_users > 0 || options.num_allow_users > 0) {
hostname = get_canonical_hostname(options.verify_reverse_mapping);
hostname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
}

Просмотреть файл

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth2-hostbased.c,v 1.3 2003/04/08 20:21:28 itojun Exp $");
RCSID("$OpenBSD: auth2-hostbased.c,v 1.4 2003/06/02 09:17:34 markus Exp $");
#include "ssh2.h"
#include "xmalloc.h"
@ -136,7 +136,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
HostStatus host_status;
int len;
resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
resolvedname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",

Просмотреть файл

@ -12,7 +12,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: canohost.c,v 1.36 2003/04/08 20:21:28 itojun Exp $");
RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@ -27,7 +27,7 @@ static void check_ip_options(int, char *);
*/
static char *
get_remote_hostname(int socket, int verify_reverse_mapping)
get_remote_hostname(int socket, int use_dns)
{
struct sockaddr_storage from;
int i;
@ -72,6 +72,9 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
NULL, 0, NI_NUMERICHOST) != 0)
fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
if (!use_dns)
return xstrdup(ntop);
if (from.ss_family == AF_INET)
check_ip_options(socket, ntop);
@ -80,14 +83,24 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
#if 0
logit("Could not reverse map address %.100s.", ntop);
#endif
return xstrdup(ntop);
}
/* Got host name. */
name[sizeof(name) - 1] = '\0';
/*
* if reverse lookup result looks like a numeric hostname,
* someone is trying to trick us by PTR record like following:
* 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
*/
memset(&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
if (getaddrinfo(name, "0", &hints, &ai) == 0) {
logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
name, ntop);
freeaddrinfo(ai);
return xstrdup(ntop);
}
/*
* Convert it to all lowercase (which is expected by the rest
* of this software).
@ -95,9 +108,6 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
for (i = 0; name[i]; i++)
if (isupper(name[i]))
name[i] = tolower(name[i]);
if (!verify_reverse_mapping)
return xstrdup(name);
/*
* Map it back to an IP address and check that the given
* address actually is an address of this host. This is
@ -180,14 +190,14 @@ check_ip_options(int socket, char *ipaddr)
*/
const char *
get_canonical_hostname(int verify_reverse_mapping)
get_canonical_hostname(int use_dns)
{
static char *canonical_host_name = NULL;
static int verify_reverse_mapping_done = 0;
static int use_dns_done = 0;
/* Check if we have previously retrieved name with same option. */
if (canonical_host_name != NULL) {
if (verify_reverse_mapping_done != verify_reverse_mapping)
if (use_dns_done != use_dns)
xfree(canonical_host_name);
else
return canonical_host_name;
@ -196,11 +206,11 @@ get_canonical_hostname(int verify_reverse_mapping)
/* Get the real hostname if socket; otherwise return UNKNOWN. */
if (packet_connection_is_on_socket())
canonical_host_name = get_remote_hostname(
packet_get_connection_in(), verify_reverse_mapping);
packet_get_connection_in(), use_dns);
else
canonical_host_name = xstrdup("UNKNOWN");
verify_reverse_mapping_done = verify_reverse_mapping;
use_dns_done = use_dns;
return canonical_host_name;
}
@ -294,11 +304,11 @@ get_remote_ipaddr(void)
}
const char *
get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
get_remote_name_or_ip(u_int utmp_len, int use_dns)
{
static const char *remote = "";
if (utmp_len > 0)
remote = get_canonical_hostname(verify_reverse_mapping);
remote = get_canonical_hostname(use_dns);
if (utmp_len == 0 || strlen(remote) > utmp_len)
remote = get_remote_ipaddr();
return remote;

Просмотреть файл

@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor.c,v 1.41 2003/05/24 09:30:40 djm Exp $");
RCSID("$OpenBSD: monitor.c,v 1.42 2003/06/02 09:17:34 markus Exp $");
#include <openssl/dh.h>
@ -1157,7 +1157,7 @@ mm_record_login(Session *s, struct passwd *pw)
}
/* Record that there was a login on that tty from the remote host. */
record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
get_remote_name_or_ip(utmp_len, options.use_dns),
(struct sockaddr *)&from, fromlen);
}

Просмотреть файл

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.121 2003/05/15 14:02:47 jakob Exp $");
RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $");
#if defined(KRB4)
#include <krb.h>
@ -116,7 +116,7 @@ initialize_server_options(ServerOptions *options)
options->max_startups_rate = -1;
options->max_startups = -1;
options->banner = NULL;
options->verify_reverse_mapping = -1;
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
@ -232,8 +232,8 @@ fill_default_server_options(ServerOptions *options)
options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups;
if (options->verify_reverse_mapping == -1)
options->verify_reverse_mapping = 0;
if (options->use_dns == -1)
options->use_dns = 1;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
@ -282,7 +282,7 @@ typedef enum {
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sUsePrivilegeSeparation,
@ -366,8 +366,9 @@ static struct {
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
{ "banner", sBanner },
{ "verifyreversemapping", sVerifyReverseMapping },
{ "reversemappingcheck", sVerifyReverseMapping },
{ "usedns", sUseDNS },
{ "verifyreversemapping", sDeprecated },
{ "reversemappingcheck", sDeprecated },
{ "clientaliveinterval", sClientAliveInterval },
{ "clientalivecountmax", sClientAliveCountMax },
{ "authorizedkeysfile", sAuthorizedKeysFile },
@ -723,8 +724,8 @@ parse_flag:
intptr = &options->gateway_ports;
goto parse_flag;
case sVerifyReverseMapping:
intptr = &options->verify_reverse_mapping;
case sUseDNS:
intptr = &options->use_dns;
goto parse_flag;
case sLogFacility:

Просмотреть файл

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.60 2003/05/15 01:48:10 jakob Exp $ */
/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -112,7 +112,7 @@ typedef struct {
int max_startups_rate;
int max_startups;
char *banner; /* SSH-2 banner message */
int verify_reverse_mapping; /* cross-check ip and dns */
int use_dns;
int client_alive_interval; /*
* poke the client this often to
* see if it's still there

Просмотреть файл

@ -33,7 +33,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: session.c,v 1.157 2003/05/14 22:24:42 markus Exp $");
RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -694,7 +694,7 @@ do_pre_login(Session *s)
}
record_utmp_only(pid, s->tty, s->pw->pw_name,
get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
get_remote_name_or_ip(utmp_len, options.use_dns),
(struct sockaddr *)&from, fromlen);
}
#endif
@ -749,7 +749,7 @@ do_login(Session *s, const char *command)
if (!use_privsep)
record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
get_remote_name_or_ip(utmp_len,
options.verify_reverse_mapping),
options.use_dns),
(struct sockaddr *)&from, fromlen);
#ifdef USE_PAM
@ -1353,7 +1353,7 @@ do_child(Session *s, const char *command)
/* we have to stash the hostname before we close our socket. */
if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len,
options.verify_reverse_mapping);
options.use_dns);
/*
* Close the connection descriptors; note that this is the child, and
* the server will still have the socket open, and it is important

Просмотреть файл

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# $OpenBSD: sshd_config,v 1.60 2003/06/02 09:17:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@ -88,7 +88,7 @@
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
#UseDNS yes
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

Просмотреть файл

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.17 2003/05/20 12:09:32 jmc Exp $
.\" $OpenBSD: sshd_config.5,v 1.18 2003/06/02 09:17:34 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@ -585,6 +585,14 @@ Gives the facility code that is used when logging messages from
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm UseDNS
Specifies whether
.Nm sshd
should lookup the remote host name and check that
the resolved host name for the remote IP address maps back to the
very same IP address.
The default is
.Dq yes .
.It Cm UseLogin
Specifies whether
.Xr login 1
@ -622,14 +630,6 @@ The goal of privilege separation is to prevent privilege
escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
.It Cm VerifyReverseMapping
Specifies whether
.Nm sshd
should try to verify the remote host name and check that
the resolved host name for the remote IP address maps back to the
very same IP address.
The default is
.Dq no .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Nm sshd Ns 's