Bug #1848
sshd always tries to resolve client's IP to hostname
Start date:
2011-12-03
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
Description
I have follow options in my sshd_config:
LookupClientHostnames no
VerifyReverseMapping no
but i see that sshd ignores second option (i started sshd with enabled debug and see that it says "Trying to reverse map address .....")
Source of get_remote_hostname from usr/src/cmd/ssh/libssh/common/canohost.c (illumos-gate)
37 static char * 38 get_remote_hostname(int socket, int verify_reverse_mapping) 39 { 40 struct sockaddr_storage from; 41 int i, res; 42 socklen_t fromlen; 43 struct addrinfo hints, *ai, *aitop; 44 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; 45 46 /* Get IP address of client. */ 47 fromlen = sizeof(from); 48 memset(&from, 0, sizeof(from)); 49 if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) { 50 debug("getpeername failed: %.100s", strerror(errno)); 51 fatal_cleanup(); 52 } 53 54 if ((res = getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), 55 NULL, 0, NI_NUMERICHOST)) != 0) 56 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed: %d", res); 57 58 #ifdef IPV4_IN_IPV6 59 if (from.ss_family == AF_INET6) { 60 struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from; 61 62 (void) inet_ntop_native(from.ss_family, 63 from6->sin6_addr.s6_addr, 64 ntop, sizeof(ntop)); 65 } 66 #endif /* IPV4_IN_IPV6 */ 67 68 debug3("Trying to reverse map address %.100s.", ntop); 69 /* Map the IP address to a host name. */ 70 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 71 NULL, 0, NI_NAMEREQD) != 0) { 72 /* Host name not found. Use ip address. */ 73 #if 0 74 log("Could not reverse map address %.100s.", ntop); 75 #endif 76 return xstrdup(ntop); 77 } 78 79 /* Got host name. */ 80 name[sizeof(name) - 1] = '\0'; 81 /* 82 * Convert it to all lowercase (which is expected by the rest 83 * of this software). 84 */ 85 for (i = 0; name[i]; i++) 86 if (isupper(name[i])) 87 name[i] = tolower(name[i]); 88 89 if (!verify_reverse_mapping) 90 return xstrdup(name); .... ....
Same block of source code from OpenSSH 5.9
47 static char * 48 get_remote_hostname(int sock, int use_dns) 49 { 50 struct sockaddr_storage from; 51 int i; 52 socklen_t fromlen; 53 struct addrinfo hints, *ai, *aitop; 54 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; 55 56 /* Get IP address of client. */ 57 fromlen = sizeof(from); 58 memset(&from, 0, sizeof(from)); 59 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 60 debug("getpeername failed: %.100s", strerror(errno)); 61 cleanup_exit(255); 62 } 63 64 if (from.ss_family == AF_INET) 65 check_ip_options(sock, ntop); 66 67 ipv64_normalise_mapped(&from, &fromlen); 68 69 if (from.ss_family == AF_INET6) 70 fromlen = sizeof(struct sockaddr_in6); 71 72 if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), 73 NULL, 0, NI_NUMERICHOST) != 0) 74 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); 75 76 if (!use_dns) 77 return xstrdup(ntop); 78 79 debug3("Trying to reverse map address %.100s.", ntop); 80 /* Map the IP address to a host name. */ 81 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 82 NULL, 0, NI_NAMEREQD) != 0) { 83 /* Host name not found. Use ip address. */ 84 return xstrdup(ntop); 85 } ..... .....
I found that this bug was fixed 8 years ago in OpenSSH:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/canohost.c.diff?r1=1.36;r2=1.37;f=h
So could you please fix this bug.
Thanks.