- markus@cvs.openbsd.org 2002/01/29 14:32:03

[auth2.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c canohost.c servconf.c servconf.h session.c sshd.8 sshd_config]
     s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

ChangeLog

@@ -31,6 +31,11 @@
    - markus@cvs.openbsd.org 2002/01/29 14:27:57
      [ssh-add.c]
      exit 2 if no agent, exit 1 if list fails; debian#61078; ok djm@
+   - markus@cvs.openbsd.org 2002/01/29 14:32:03
+     [auth2.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c canohost.c]
+     [servconf.c servconf.h session.c sshd.8 sshd_config]
+     s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; 
+     ok stevesk@
 
 20020130
  - (djm) Delay PRNG seeding until we need it in ssh-keygen, from markus@
@@ -7433,4 +7438,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1807 2002/02/05 01:12:49 djm Exp $
+$Id: ChangeLog,v 1.1808 2002/02/05 01:13:41 djm Exp $

auth-options.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.20 2001/08/30 20:36:34 stevesk Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.21 2002/01/29 14:32:03 markus Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
@@ -170,7 +170,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			const char *remote_ip = get_remote_ipaddr();
 			const char *remote_host = get_canonical_hostname(
-			    options.reverse_mapping_check);
+			    options.verify_reverse_mapping);
 			char *patterns = xmalloc(strlen(opts) + 1);
 
 			opts += strlen(cp);

auth-rh-rsa.c

@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.27 2001/12/27 19:54:53 markus Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.28 2002/01/29 14:32:03 markus Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
@@ -48,7 +48,7 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, Key *client_host_key
 		return 0;
 
 	canonical_hostname = get_canonical_hostname(
-	    options.reverse_mapping_check);
+	    options.verify_reverse_mapping);
 
 	debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname);
 

auth-rhosts.c

@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.25 2001/12/19 07:18:56 deraadt Exp $");
+RCSID("$OpenBSD: auth-rhosts.c,v 1.26 2002/01/29 14:32:03 markus Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
@@ -156,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user)
 	const char *hostname, *ipaddr;
 	int ret;
 
-	hostname = get_canonical_hostname(options.reverse_mapping_check);
+	hostname = get_canonical_hostname(options.verify_reverse_mapping);
 	ipaddr = get_remote_ipaddr();
 	ret = auth_rhosts2(pw, client_user, hostname, ipaddr);
 	return ret;

auth.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.31 2001/12/19 07:18:56 deraadt Exp $");
+RCSID("$OpenBSD: auth.c,v 1.32 2002/01/29 14:32:03 markus Exp $");
 
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -111,7 +111,7 @@ allowed_user(struct passwd * pw)
 		return 0;
 
 	if (options.num_deny_users > 0 || options.num_allow_users > 0) {
-		hostname = get_canonical_hostname(options.reverse_mapping_check);
+		hostname = get_canonical_hostname(options.verify_reverse_mapping);
 		ipaddr = get_remote_ipaddr();
 	}
 

auth2.c

@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.82 2002/01/13 17:57:37 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.83 2002/01/29 14:32:03 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -743,7 +743,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
 	HostStatus host_status;
 	int len;
 
-	resolvedname = get_canonical_hostname(options.reverse_mapping_check);
+	resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
 	ipaddr = get_remote_ipaddr();
 
 	debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",

canohost.c

@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.29 2001/12/19 07:18:56 deraadt Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.30 2002/01/29 14:32:03 markus Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
@@ -27,7 +27,7 @@ static void check_ip_options(int, char *);
  */
 
 static char *
-get_remote_hostname(int socket, int reverse_mapping_check)
+get_remote_hostname(int socket, int verify_reverse_mapping)
 {
 	struct sockaddr_storage from;
 	int i;
@@ -90,7 +90,7 @@ get_remote_hostname(int socket, int reverse_mapping_check)
 		if (isupper(name[i]))
 			name[i] = tolower(name[i]);
 
-	if (!reverse_mapping_check)
+	if (!verify_reverse_mapping)
 		return xstrdup(name);
 	/*
 	 * Map it back to an IP address and check that the given
@@ -174,14 +174,14 @@ check_ip_options(int socket, char *ipaddr)
  */
 
 const char *
-get_canonical_hostname(int reverse_mapping_check)
+get_canonical_hostname(int verify_reverse_mapping)
 {
 	static char *canonical_host_name = NULL;
-	static int reverse_mapping_checked = 0;
+	static int verify_reverse_mapping_done = 0;
 
 	/* Check if we have previously retrieved name with same option. */
 	if (canonical_host_name != NULL) {
-		if (reverse_mapping_checked != reverse_mapping_check)
+		if (verify_reverse_mapping_done != verify_reverse_mapping)
 			xfree(canonical_host_name);
 		else
 			return canonical_host_name;
@@ -190,11 +190,11 @@ get_canonical_hostname(int reverse_mapping_check)
 	/* Get the real hostname if socket; otherwise return UNKNOWN. */
 	if (packet_connection_is_on_socket())
 		canonical_host_name = get_remote_hostname(
-		    packet_get_connection_in(), reverse_mapping_check);
+		    packet_get_connection_in(), verify_reverse_mapping);
 	else
 		canonical_host_name = xstrdup("UNKNOWN");
 
-	reverse_mapping_checked = reverse_mapping_check;
+	verify_reverse_mapping_done = verify_reverse_mapping;
 	return canonical_host_name;
 }
 
@@ -281,11 +281,11 @@ get_remote_ipaddr(void)
 }
 
 const char *
-get_remote_name_or_ip(u_int utmp_len, int reverse_mapping_check)
+get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
 {
 	static const char *remote = "";
 	if (utmp_len > 0)
-		remote = get_canonical_hostname(reverse_mapping_check);
+		remote = get_canonical_hostname(verify_reverse_mapping);
 	if (utmp_len == 0 || strlen(remote) > utmp_len)
 		remote = get_remote_ipaddr();
 	return remote;

servconf.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.99 2002/01/27 14:57:46 stevesk Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.100 2002/01/29 14:32:03 markus Exp $");
 
 #if defined(KRB4) || defined(KRB5)
 #include <krb.h>
@@ -105,7 +105,7 @@ initialize_server_options(ServerOptions *options)
 	options->max_startups_rate = -1;
 	options->max_startups = -1;
 	options->banner = NULL;
-	options->reverse_mapping_check = -1;
+	options->verify_reverse_mapping = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
 	options->authorized_keys_file = NULL;
@@ -220,8 +220,8 @@ fill_default_server_options(ServerOptions *options)
 		options->max_startups_rate = 100;		/* 100% */
 	if (options->max_startups_begin == -1)
 		options->max_startups_begin = options->max_startups;
-	if (options->reverse_mapping_check == -1)
-		options->reverse_mapping_check = 0;
+	if (options->verify_reverse_mapping == -1)
+		options->verify_reverse_mapping = 0;
 	if (options->client_alive_interval == -1)
 		options->client_alive_interval = 0;
 	if (options->client_alive_count_max == -1)
@@ -264,7 +264,7 @@ typedef enum {
 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
-	sBanner, sReverseMappingCheck, sHostbasedAuthentication,
+	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sDeprecated
@@ -336,7 +336,8 @@ static struct {
 	{ "subsystem", sSubsystem },
 	{ "maxstartups", sMaxStartups },
 	{ "banner", sBanner },
-	{ "reversemappingcheck", sReverseMappingCheck },
+	{ "verifyreversemapping", sVerifyReverseMapping },
+	{ "reversemappingcheck", sVerifyReverseMapping },
 	{ "clientaliveinterval", sClientAliveInterval },
 	{ "clientalivecountmax", sClientAliveCountMax },
 	{ "authorizedkeysfile", sAuthorizedKeysFile },
@@ -687,8 +688,8 @@ parse_flag:
 		intptr = &options->gateway_ports;
 		goto parse_flag;
 
-	case sReverseMappingCheck:
-		intptr = &options->reverse_mapping_check;
+	case sVerifyReverseMapping:
+		intptr = &options->verify_reverse_mapping;
 		goto parse_flag;
 
 	case sLogFacility:

servconf.h

@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: servconf.h,v 1.52 2002/01/27 14:57:46 stevesk Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.53 2002/01/29 14:32:03 markus Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -116,7 +116,7 @@ typedef struct {
 	int	max_startups_rate;
 	int	max_startups;
 	char   *banner;			/* SSH-2 banner message */
-	int	reverse_mapping_check;	/* cross-check ip and dns */
+	int	verify_reverse_mapping;	/* cross-check ip and dns */
 	int	client_alive_interval;	/*
 					 * poke the client this often to
 					 * see if it's still there

session.c

@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.119 2002/01/27 14:57:46 stevesk Exp $");
+RCSID("$OpenBSD: session.c,v 1.120 2002/01/29 14:32:03 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -717,7 +717,7 @@ do_login(Session *s, const char *command)
 
 	/* Record that there was a login on that tty from the remote host. */
 	record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
-	    get_remote_name_or_ip(utmp_len, options.reverse_mapping_check),
+	    get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
 	    (struct sockaddr *)&from);
 
 #ifdef USE_PAM
@@ -1287,7 +1287,7 @@ do_child(Session *s, const char *command)
 	/* we have to stash the hostname before we close our socket. */
 	if (options.use_login)
 		hostname = get_remote_name_or_ip(utmp_len,
-		    options.reverse_mapping_check);
+		    options.verify_reverse_mapping);
 	/*
 	 * Close the connection descriptors; note that this is the child, and
 	 * the server will still have the socket open, and it is important

sshd.8

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.164 2002/01/27 14:57:46 stevesk Exp $
+.\" $OpenBSD: sshd.8,v 1.165 2002/01/29 14:32:03 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -766,14 +766,6 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
-.It Cm ReverseMappingCheck
-Specifies whether
-.Nm
-should try to verify the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq no .
 .It Cm RhostsAuthentication
 Specifies whether authentication using rhosts or /etc/hosts.equiv
 files is sufficient.
@@ -841,6 +833,14 @@ will be disabled because
 does not know how to handle
 .Xr xauth 1
 cookies.
+.It Cm VerifyReverseMapping
+Specifies whether
+.Nm
+should try to verify the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq no .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's

sshd_config

@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.45 2002/01/27 14:57:46 stevesk Exp $
+#	$OpenBSD: sshd_config,v 1.46 2002/01/29 14:32:03 markus Exp $
 
 # This is the sshd server system-wide configuration file.  See sshd(8)
 # for more information.
@@ -86,7 +86,7 @@
 #MaxStartups 10
 # no default banner path
 #Banner /some/path
-#ReverseMappingCheck no
+#VerifyReverseMapping no
 
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server