Bug #1848
sshd always tries to resolve client's IP to hostname
Start date:
2011-12-03
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
Description
I have follow options in my sshd_config:
LookupClientHostnames no
VerifyReverseMapping no
but i see that sshd ignores second option (i started sshd with enabled debug and see that it says "Trying to reverse map address .....")
Source of get_remote_hostname from usr/src/cmd/ssh/libssh/common/canohost.c (illumos-gate)
37 static char *
38 get_remote_hostname(int socket, int verify_reverse_mapping)
39 {
40 struct sockaddr_storage from;
41 int i, res;
42 socklen_t fromlen;
43 struct addrinfo hints, *ai, *aitop;
44 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
45
46 /* Get IP address of client. */
47 fromlen = sizeof(from);
48 memset(&from, 0, sizeof(from));
49 if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) {
50 debug("getpeername failed: %.100s", strerror(errno));
51 fatal_cleanup();
52 }
53
54 if ((res = getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
55 NULL, 0, NI_NUMERICHOST)) != 0)
56 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed: %d", res);
57
58 #ifdef IPV4_IN_IPV6
59 if (from.ss_family == AF_INET6) {
60 struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from;
61
62 (void) inet_ntop_native(from.ss_family,
63 from6->sin6_addr.s6_addr,
64 ntop, sizeof(ntop));
65 }
66 #endif /* IPV4_IN_IPV6 */
67
68 debug3("Trying to reverse map address %.100s.", ntop);
69 /* Map the IP address to a host name. */
70 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
71 NULL, 0, NI_NAMEREQD) != 0) {
72 /* Host name not found. Use ip address. */
73 #if 0
74 log("Could not reverse map address %.100s.", ntop);
75 #endif
76 return xstrdup(ntop);
77 }
78
79 /* Got host name. */
80 name[sizeof(name) - 1] = '\0';
81 /*
82 * Convert it to all lowercase (which is expected by the rest
83 * of this software).
84 */
85 for (i = 0; name[i]; i++)
86 if (isupper(name[i]))
87 name[i] = tolower(name[i]);
88
89 if (!verify_reverse_mapping)
90 return xstrdup(name);
....
....
Same block of source code from OpenSSH 5.9
47 static char *
48 get_remote_hostname(int sock, int use_dns)
49 {
50 struct sockaddr_storage from;
51 int i;
52 socklen_t fromlen;
53 struct addrinfo hints, *ai, *aitop;
54 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
55
56 /* Get IP address of client. */
57 fromlen = sizeof(from);
58 memset(&from, 0, sizeof(from));
59 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
60 debug("getpeername failed: %.100s", strerror(errno));
61 cleanup_exit(255);
62 }
63
64 if (from.ss_family == AF_INET)
65 check_ip_options(sock, ntop);
66
67 ipv64_normalise_mapped(&from, &fromlen);
68
69 if (from.ss_family == AF_INET6)
70 fromlen = sizeof(struct sockaddr_in6);
71
72 if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
73 NULL, 0, NI_NUMERICHOST) != 0)
74 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
75
76 if (!use_dns)
77 return xstrdup(ntop);
78
79 debug3("Trying to reverse map address %.100s.", ntop);
80 /* Map the IP address to a host name. */
81 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
82 NULL, 0, NI_NAMEREQD) != 0) {
83 /* Host name not found. Use ip address. */
84 return xstrdup(ntop);
85 }
.....
.....
I found that this bug was fixed 8 years ago in OpenSSH:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/canohost.c.diff?r1=1.36;r2=1.37;f=h
So could you please fix this bug.
Thanks.
Updated by 
Updated by 
Updated by