Bug #1848

sshd always tries to resolve client's IP to hostname

Added by Roman Strashkin over 2 years ago. Updated about 1 year ago.

Status:Resolved Start date:2011-12-03
Priority:Normal Due date:
Assignee:Vitaliy Gusev % Done:

100%

Category:cmd - userland programs Spent time: -
Target version:-
Difficulty:Medium Tags:

Description

I have follow options in my sshd_config:

LookupClientHostnames no
VerifyReverseMapping no

but i see that sshd ignores second option (i started sshd with enabled debug and see that it says "Trying to reverse map address .....")

Source of get_remote_hostname from usr/src/cmd/ssh/libssh/common/canohost.c (illumos-gate)

 37 static char *
 38 get_remote_hostname(int socket, int verify_reverse_mapping)
 39 {
 40     struct sockaddr_storage from;
 41     int i, res;
 42     socklen_t fromlen;
 43     struct addrinfo hints, *ai, *aitop;
 44     char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
 45 
 46     /* Get IP address of client. */
 47     fromlen = sizeof(from);
 48     memset(&from, 0, sizeof(from));
 49     if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) {
 50         debug("getpeername failed: %.100s", strerror(errno));
 51         fatal_cleanup();
 52     }
 53 
 54     if ((res = getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
 55         NULL, 0, NI_NUMERICHOST)) != 0)
 56         fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed: %d", res);
 57 
 58 #ifdef IPV4_IN_IPV6
 59     if (from.ss_family == AF_INET6) {
 60         struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from;
 61 
 62         (void) inet_ntop_native(from.ss_family,
 63                 from6->sin6_addr.s6_addr,
 64                 ntop, sizeof(ntop));
 65     }
 66 #endif /* IPV4_IN_IPV6 */
 67 
 68     debug3("Trying to reverse map address %.100s.", ntop);
 69     /* Map the IP address to a host name. */
 70     if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
 71         NULL, 0, NI_NAMEREQD) != 0) {
 72         /* Host name not found.  Use ip address. */
 73 #if 0
 74         log("Could not reverse map address %.100s.", ntop);
 75 #endif
 76         return xstrdup(ntop);
 77     }
 78 
 79     /* Got host name. */
 80     name[sizeof(name) - 1] = '\0';
 81     /*
 82      * Convert it to all lowercase (which is expected by the rest
 83      * of this software).
 84      */
 85     for (i = 0; name[i]; i++)
 86         if (isupper(name[i]))
 87             name[i] = tolower(name[i]);
 88 
 89     if (!verify_reverse_mapping)
 90         return xstrdup(name);
....
....

Same block of source code from OpenSSH 5.9

 47 static char *
 48 get_remote_hostname(int sock, int use_dns)
 49 {
 50     struct sockaddr_storage from;
 51     int i;
 52     socklen_t fromlen;
 53     struct addrinfo hints, *ai, *aitop;
 54     char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
 55 
 56     /* Get IP address of client. */
 57     fromlen = sizeof(from);
 58     memset(&from, 0, sizeof(from));
 59     if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
 60         debug("getpeername failed: %.100s", strerror(errno));
 61         cleanup_exit(255);
 62     }
 63 
 64     if (from.ss_family == AF_INET)
 65         check_ip_options(sock, ntop);
 66 
 67     ipv64_normalise_mapped(&from, &fromlen);
 68 
 69     if (from.ss_family == AF_INET6)
 70         fromlen = sizeof(struct sockaddr_in6);
 71 
 72     if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
 73         NULL, 0, NI_NUMERICHOST) != 0)
 74         fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
 75 
 76     if (!use_dns)
 77         return xstrdup(ntop);
 78 
 79     debug3("Trying to reverse map address %.100s.", ntop);
 80     /* Map the IP address to a host name. */
 81     if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
 82         NULL, 0, NI_NAMEREQD) != 0) {
 83         /* Host name not found.  Use ip address. */
 84         return xstrdup(ntop);
 85     }
.....
.....

I found that this bug was fixed 8 years ago in OpenSSH:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/canohost.c.diff?r1=1.36;r2=1.37;f=h

So could you please fix this bug.
Thanks.

History

Updated by Rich Lowe over 2 years ago

This is fixed in the SmartOS tree, too, if someone wants an easy place to pull diffs from.

Updated by Vitaliy Gusev over 2 years ago

  • Assignee set to Vitaliy Gusev

Updated by Vitaliy Gusev over 2 years ago

Just moving

"if (!verify_reverse_mapping)"

is enough. Don't sync with full commit because it removes "VerifyReverseMapping".

Updated by Rich Lowe over 2 years ago

It doesn't remove anything that I can see, it just changes the name of a few arguments.

The fix related to PTR records looks like it'd be really nice to have, too.

Updated by Vitaliy Gusev over 2 years ago

Rich Lowe wrote:

It doesn't remove anything that I can see, it just changes the name of a few arguments.

No, VerifyReverseMapping becomes deprecated.

You just saw only part of commit because CVS was used . Please see full commit:

http://sisyphus.ru/ru/srpm/Branch3/openssh/patches/30

The fix related to PTR records looks like it'd be really nice to have, too.

It is not related to this bug.

Updated by Rich Lowe over 2 years ago

The fix related to PTR records looks like it'd be really nice to have, too.

It is not related to this bug.

No, but it still might be a good idea, so I filed #1858.

Updated by Rich Lowe over 2 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
  • Tags deleted (needs-triage)

Resolved in r13566 b2b4f797c428

Updated by Richard PALO about 1 year ago

I notice that the manpage indicates:

    VerifyReverseMapping

         Specifies whether sshd should try to verify  the  remote
         host  name and check that the resolved host name for the
         remote IP address maps back to the very same IP address.
         (A  yes  setting means "verify".) Setting this parameter
         to no can be useful where DNS servers might be down  and
         thus cause sshd to spend much time trying to resolve the
         client's IP address to a name. This  feature  is  useful
         for Internet-facing servers. The default is no.

but I had to explicitly set it to no for it to work, at least on omnios bloody latest.

Also available in: Atom PDF