Bug #1848
closed
sshd always tries to resolve client's IP to hostname
100%
Description
I have follow options in my sshd_config:
LookupClientHostnames no
VerifyReverseMapping no
but i see that sshd ignores second option (i started sshd with enabled debug and see that it says "Trying to reverse map address .....")
Source of get_remote_hostname from usr/src/cmd/ssh/libssh/common/canohost.c (illumos-gate)
37 static char *
38 get_remote_hostname(int socket, int verify_reverse_mapping)
39 {
40 struct sockaddr_storage from;
41 int i, res;
42 socklen_t fromlen;
43 struct addrinfo hints, *ai, *aitop;
44 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
45
46 /* Get IP address of client. */
47 fromlen = sizeof(from);
48 memset(&from, 0, sizeof(from));
49 if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) {
50 debug("getpeername failed: %.100s", strerror(errno));
51 fatal_cleanup();
52 }
53
54 if ((res = getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
55 NULL, 0, NI_NUMERICHOST)) != 0)
56 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed: %d", res);
57
58 #ifdef IPV4_IN_IPV6
59 if (from.ss_family == AF_INET6) {
60 struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from;
61
62 (void) inet_ntop_native(from.ss_family,
63 from6->sin6_addr.s6_addr,
64 ntop, sizeof(ntop));
65 }
66 #endif /* IPV4_IN_IPV6 */
67
68 debug3("Trying to reverse map address %.100s.", ntop);
69 /* Map the IP address to a host name. */
70 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
71 NULL, 0, NI_NAMEREQD) != 0) {
72 /* Host name not found. Use ip address. */
73 #if 0
74 log("Could not reverse map address %.100s.", ntop);
75 #endif
76 return xstrdup(ntop);
77 }
78
79 /* Got host name. */
80 name[sizeof(name) - 1] = '\0';
81 /*
82 * Convert it to all lowercase (which is expected by the rest
83 * of this software).
84 */
85 for (i = 0; name[i]; i++)
86 if (isupper(name[i]))
87 name[i] = tolower(name[i]);
88
89 if (!verify_reverse_mapping)
90 return xstrdup(name);
....
....
Same block of source code from OpenSSH 5.9
47 static char *
48 get_remote_hostname(int sock, int use_dns)
49 {
50 struct sockaddr_storage from;
51 int i;
52 socklen_t fromlen;
53 struct addrinfo hints, *ai, *aitop;
54 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
55
56 /* Get IP address of client. */
57 fromlen = sizeof(from);
58 memset(&from, 0, sizeof(from));
59 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
60 debug("getpeername failed: %.100s", strerror(errno));
61 cleanup_exit(255);
62 }
63
64 if (from.ss_family == AF_INET)
65 check_ip_options(sock, ntop);
66
67 ipv64_normalise_mapped(&from, &fromlen);
68
69 if (from.ss_family == AF_INET6)
70 fromlen = sizeof(struct sockaddr_in6);
71
72 if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
73 NULL, 0, NI_NUMERICHOST) != 0)
74 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
75
76 if (!use_dns)
77 return xstrdup(ntop);
78
79 debug3("Trying to reverse map address %.100s.", ntop);
80 /* Map the IP address to a host name. */
81 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
82 NULL, 0, NI_NAMEREQD) != 0) {
83 /* Host name not found. Use ip address. */
84 return xstrdup(ntop);
85 }
.....
.....
I found that this bug was fixed 8 years ago in OpenSSH:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/canohost.c.diff?r1=1.36;r2=1.37;f=h
So could you please fix this bug.
Thanks.
Updated by Rich Lowe almost 12 years ago
This is fixed in the SmartOS tree, too, if someone wants an easy place to pull diffs from.
Updated by Vitaliy Gusev almost 12 years ago
Just moving
"if (!verify_reverse_mapping)"is enough. Don't sync with full commit because it removes "VerifyReverseMapping".
Updated by Rich Lowe almost 12 years ago
It doesn't remove anything that I can see, it just changes the name of a few arguments.
The fix related to PTR records looks like it'd be really nice to have, too.
Updated by Vitaliy Gusev almost 12 years ago
Rich Lowe wrote:
It doesn't remove anything that I can see, it just changes the name of a few arguments.
No, VerifyReverseMapping becomes deprecated.
You just saw only part of commit because CVS was used . Please see full commit:
http://sisyphus.ru/ru/srpm/Branch3/openssh/patches/30The fix related to PTR records looks like it'd be really nice to have, too.
It is not related to this bug.
Updated by Rich Lowe almost 12 years ago
The fix related to PTR records looks like it'd be really nice to have, too.
It is not related to this bug.
No, but it still might be a good idea, so I filed #1858.
Updated by Rich Lowe over 11 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
- Tags deleted (
needs-triage)
Resolved in r13566 commit:b2b4f797c428
Updated by Richard PALO over 10 years ago
I notice that the manpage indicates:
VerifyReverseMapping
Specifies whether sshd should try to verify the remote
host name and check that the resolved host name for the
remote IP address maps back to the very same IP address.
(A yes setting means "verify".) Setting this parameter
to no can be useful where DNS servers might be down and
thus cause sshd to spend much time trying to resolve the
client's IP address to a name. This feature is useful
for Internet-facing servers. The default is no.
but I had to explicitly set it to no for it to work, at least on omnios bloody latest.