Project

General

Profile

Actions

Bug #1848

closed

sshd always tries to resolve client's IP to hostname

Added by Roman Strashkin over 9 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
cmd - userland programs
Start date:
2011-12-03
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

I have follow options in my sshd_config:

LookupClientHostnames no
VerifyReverseMapping no

but i see that sshd ignores second option (i started sshd with enabled debug and see that it says "Trying to reverse map address .....")

Source of get_remote_hostname from usr/src/cmd/ssh/libssh/common/canohost.c (illumos-gate)

 37 static char *
 38 get_remote_hostname(int socket, int verify_reverse_mapping)
 39 {
 40     struct sockaddr_storage from;
 41     int i, res;
 42     socklen_t fromlen;
 43     struct addrinfo hints, *ai, *aitop;
 44     char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
 45 
 46     /* Get IP address of client. */
 47     fromlen = sizeof(from);
 48     memset(&from, 0, sizeof(from));
 49     if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) {
 50         debug("getpeername failed: %.100s", strerror(errno));
 51         fatal_cleanup();
 52     }
 53 
 54     if ((res = getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
 55         NULL, 0, NI_NUMERICHOST)) != 0)
 56         fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed: %d", res);
 57 
 58 #ifdef IPV4_IN_IPV6
 59     if (from.ss_family == AF_INET6) {
 60         struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from;
 61 
 62         (void) inet_ntop_native(from.ss_family,
 63                 from6->sin6_addr.s6_addr,
 64                 ntop, sizeof(ntop));
 65     }
 66 #endif /* IPV4_IN_IPV6 */
 67 
 68     debug3("Trying to reverse map address %.100s.", ntop);
 69     /* Map the IP address to a host name. */
 70     if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
 71         NULL, 0, NI_NAMEREQD) != 0) {
 72         /* Host name not found.  Use ip address. */
 73 #if 0
 74         log("Could not reverse map address %.100s.", ntop);
 75 #endif
 76         return xstrdup(ntop);
 77     }
 78 
 79     /* Got host name. */
 80     name[sizeof(name) - 1] = '\0';
 81     /*
 82      * Convert it to all lowercase (which is expected by the rest
 83      * of this software).
 84      */
 85     for (i = 0; name[i]; i++)
 86         if (isupper(name[i]))
 87             name[i] = tolower(name[i]);
 88 
 89     if (!verify_reverse_mapping)
 90         return xstrdup(name);
....
....

Same block of source code from OpenSSH 5.9

 47 static char *
 48 get_remote_hostname(int sock, int use_dns)
 49 {
 50     struct sockaddr_storage from;
 51     int i;
 52     socklen_t fromlen;
 53     struct addrinfo hints, *ai, *aitop;
 54     char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
 55 
 56     /* Get IP address of client. */
 57     fromlen = sizeof(from);
 58     memset(&from, 0, sizeof(from));
 59     if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
 60         debug("getpeername failed: %.100s", strerror(errno));
 61         cleanup_exit(255);
 62     }
 63 
 64     if (from.ss_family == AF_INET)
 65         check_ip_options(sock, ntop);
 66 
 67     ipv64_normalise_mapped(&from, &fromlen);
 68 
 69     if (from.ss_family == AF_INET6)
 70         fromlen = sizeof(struct sockaddr_in6);
 71 
 72     if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
 73         NULL, 0, NI_NUMERICHOST) != 0)
 74         fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
 75 
 76     if (!use_dns)
 77         return xstrdup(ntop);
 78 
 79     debug3("Trying to reverse map address %.100s.", ntop);
 80     /* Map the IP address to a host name. */
 81     if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
 82         NULL, 0, NI_NAMEREQD) != 0) {
 83         /* Host name not found.  Use ip address. */
 84         return xstrdup(ntop);
 85     }
.....
.....

I found that this bug was fixed 8 years ago in OpenSSH:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/canohost.c.diff?r1=1.36;r2=1.37;f=h

So could you please fix this bug.
Thanks.

Actions

Also available in: Atom PDF