[auth2.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c canohost.c servconf.c servconf.h session.c sshd.8 sshd_config]
     s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
This commit is contained in:
Damien Miller 2002-02-05 12:13:41 +11:00
parent 43cba34b64
commit c5d8635d6a
12 changed files with 51 additions and 45 deletions

View File

@ -31,6 +31,11 @@
- markus@cvs.openbsd.org 2002/01/29 14:27:57 - markus@cvs.openbsd.org 2002/01/29 14:27:57
[ssh-add.c] [ssh-add.c]
exit 2 if no agent, exit 1 if list fails; debian#61078; ok djm@ exit 2 if no agent, exit 1 if list fails; debian#61078; ok djm@
- markus@cvs.openbsd.org 2002/01/29 14:32:03
[auth2.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c canohost.c]
[servconf.c servconf.h session.c sshd.8 sshd_config]
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion;
ok stevesk@
20020130 20020130
- (djm) Delay PRNG seeding until we need it in ssh-keygen, from markus@ - (djm) Delay PRNG seeding until we need it in ssh-keygen, from markus@
@ -7433,4 +7438,4 @@
- Wrote replacements for strlcpy and mkdtemp - Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1 - Released 1.0pre1
$Id: ChangeLog,v 1.1807 2002/02/05 01:12:49 djm Exp $ $Id: ChangeLog,v 1.1808 2002/02/05 01:13:41 djm Exp $

View File

@ -10,7 +10,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth-options.c,v 1.20 2001/08/30 20:36:34 stevesk Exp $"); RCSID("$OpenBSD: auth-options.c,v 1.21 2002/01/29 14:32:03 markus Exp $");
#include "packet.h" #include "packet.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -170,7 +170,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
if (strncasecmp(opts, cp, strlen(cp)) == 0) { if (strncasecmp(opts, cp, strlen(cp)) == 0) {
const char *remote_ip = get_remote_ipaddr(); const char *remote_ip = get_remote_ipaddr();
const char *remote_host = get_canonical_hostname( const char *remote_host = get_canonical_hostname(
options.reverse_mapping_check); options.verify_reverse_mapping);
char *patterns = xmalloc(strlen(opts) + 1); char *patterns = xmalloc(strlen(opts) + 1);
opts += strlen(cp); opts += strlen(cp);

View File

@ -13,7 +13,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.27 2001/12/27 19:54:53 markus Exp $"); RCSID("$OpenBSD: auth-rh-rsa.c,v 1.28 2002/01/29 14:32:03 markus Exp $");
#include "packet.h" #include "packet.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -48,7 +48,7 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, Key *client_host_key
return 0; return 0;
canonical_hostname = get_canonical_hostname( canonical_hostname = get_canonical_hostname(
options.reverse_mapping_check); options.verify_reverse_mapping);
debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname); debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname);

View File

@ -14,7 +14,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth-rhosts.c,v 1.25 2001/12/19 07:18:56 deraadt Exp $"); RCSID("$OpenBSD: auth-rhosts.c,v 1.26 2002/01/29 14:32:03 markus Exp $");
#include "packet.h" #include "packet.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -156,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user)
const char *hostname, *ipaddr; const char *hostname, *ipaddr;
int ret; int ret;
hostname = get_canonical_hostname(options.reverse_mapping_check); hostname = get_canonical_hostname(options.verify_reverse_mapping);
ipaddr = get_remote_ipaddr(); ipaddr = get_remote_ipaddr();
ret = auth_rhosts2(pw, client_user, hostname, ipaddr); ret = auth_rhosts2(pw, client_user, hostname, ipaddr);
return ret; return ret;

4
auth.c
View File

@ -23,7 +23,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.31 2001/12/19 07:18:56 deraadt Exp $"); RCSID("$OpenBSD: auth.c,v 1.32 2002/01/29 14:32:03 markus Exp $");
#ifdef HAVE_LOGIN_H #ifdef HAVE_LOGIN_H
#include <login.h> #include <login.h>
@ -111,7 +111,7 @@ allowed_user(struct passwd * pw)
return 0; return 0;
if (options.num_deny_users > 0 || options.num_allow_users > 0) { if (options.num_deny_users > 0 || options.num_allow_users > 0) {
hostname = get_canonical_hostname(options.reverse_mapping_check); hostname = get_canonical_hostname(options.verify_reverse_mapping);
ipaddr = get_remote_ipaddr(); ipaddr = get_remote_ipaddr();
} }

View File

@ -23,7 +23,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth2.c,v 1.82 2002/01/13 17:57:37 markus Exp $"); RCSID("$OpenBSD: auth2.c,v 1.83 2002/01/29 14:32:03 markus Exp $");
#include <openssl/evp.h> #include <openssl/evp.h>
@ -743,7 +743,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
HostStatus host_status; HostStatus host_status;
int len; int len;
resolvedname = get_canonical_hostname(options.reverse_mapping_check); resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
ipaddr = get_remote_ipaddr(); ipaddr = get_remote_ipaddr();
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",

View File

@ -12,7 +12,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: canohost.c,v 1.29 2001/12/19 07:18:56 deraadt Exp $"); RCSID("$OpenBSD: canohost.c,v 1.30 2002/01/29 14:32:03 markus Exp $");
#include "packet.h" #include "packet.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -27,7 +27,7 @@ static void check_ip_options(int, char *);
*/ */
static char * static char *
get_remote_hostname(int socket, int reverse_mapping_check) get_remote_hostname(int socket, int verify_reverse_mapping)
{ {
struct sockaddr_storage from; struct sockaddr_storage from;
int i; int i;
@ -90,7 +90,7 @@ get_remote_hostname(int socket, int reverse_mapping_check)
if (isupper(name[i])) if (isupper(name[i]))
name[i] = tolower(name[i]); name[i] = tolower(name[i]);
if (!reverse_mapping_check) if (!verify_reverse_mapping)
return xstrdup(name); return xstrdup(name);
/* /*
* Map it back to an IP address and check that the given * Map it back to an IP address and check that the given
@ -174,14 +174,14 @@ check_ip_options(int socket, char *ipaddr)
*/ */
const char * const char *
get_canonical_hostname(int reverse_mapping_check) get_canonical_hostname(int verify_reverse_mapping)
{ {
static char *canonical_host_name = NULL; static char *canonical_host_name = NULL;
static int reverse_mapping_checked = 0; static int verify_reverse_mapping_done = 0;
/* Check if we have previously retrieved name with same option. */ /* Check if we have previously retrieved name with same option. */
if (canonical_host_name != NULL) { if (canonical_host_name != NULL) {
if (reverse_mapping_checked != reverse_mapping_check) if (verify_reverse_mapping_done != verify_reverse_mapping)
xfree(canonical_host_name); xfree(canonical_host_name);
else else
return canonical_host_name; return canonical_host_name;
@ -190,11 +190,11 @@ get_canonical_hostname(int reverse_mapping_check)
/* Get the real hostname if socket; otherwise return UNKNOWN. */ /* Get the real hostname if socket; otherwise return UNKNOWN. */
if (packet_connection_is_on_socket()) if (packet_connection_is_on_socket())
canonical_host_name = get_remote_hostname( canonical_host_name = get_remote_hostname(
packet_get_connection_in(), reverse_mapping_check); packet_get_connection_in(), verify_reverse_mapping);
else else
canonical_host_name = xstrdup("UNKNOWN"); canonical_host_name = xstrdup("UNKNOWN");
reverse_mapping_checked = reverse_mapping_check; verify_reverse_mapping_done = verify_reverse_mapping;
return canonical_host_name; return canonical_host_name;
} }
@ -281,11 +281,11 @@ get_remote_ipaddr(void)
} }
const char * const char *
get_remote_name_or_ip(u_int utmp_len, int reverse_mapping_check) get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
{ {
static const char *remote = ""; static const char *remote = "";
if (utmp_len > 0) if (utmp_len > 0)
remote = get_canonical_hostname(reverse_mapping_check); remote = get_canonical_hostname(verify_reverse_mapping);
if (utmp_len == 0 || strlen(remote) > utmp_len) if (utmp_len == 0 || strlen(remote) > utmp_len)
remote = get_remote_ipaddr(); remote = get_remote_ipaddr();
return remote; return remote;

View File

@ -10,7 +10,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.99 2002/01/27 14:57:46 stevesk Exp $"); RCSID("$OpenBSD: servconf.c,v 1.100 2002/01/29 14:32:03 markus Exp $");
#if defined(KRB4) || defined(KRB5) #if defined(KRB4) || defined(KRB5)
#include <krb.h> #include <krb.h>
@ -105,7 +105,7 @@ initialize_server_options(ServerOptions *options)
options->max_startups_rate = -1; options->max_startups_rate = -1;
options->max_startups = -1; options->max_startups = -1;
options->banner = NULL; options->banner = NULL;
options->reverse_mapping_check = -1; options->verify_reverse_mapping = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
options->client_alive_count_max = -1; options->client_alive_count_max = -1;
options->authorized_keys_file = NULL; options->authorized_keys_file = NULL;
@ -220,8 +220,8 @@ fill_default_server_options(ServerOptions *options)
options->max_startups_rate = 100; /* 100% */ options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1) if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups; options->max_startups_begin = options->max_startups;
if (options->reverse_mapping_check == -1) if (options->verify_reverse_mapping == -1)
options->reverse_mapping_check = 0; options->verify_reverse_mapping = 0;
if (options->client_alive_interval == -1) if (options->client_alive_interval == -1)
options->client_alive_interval = 0; options->client_alive_interval = 0;
if (options->client_alive_count_max == -1) if (options->client_alive_count_max == -1)
@ -264,7 +264,7 @@ typedef enum {
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
sBanner, sReverseMappingCheck, sHostbasedAuthentication, sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sDeprecated sDeprecated
@ -336,7 +336,8 @@ static struct {
{ "subsystem", sSubsystem }, { "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups }, { "maxstartups", sMaxStartups },
{ "banner", sBanner }, { "banner", sBanner },
{ "reversemappingcheck", sReverseMappingCheck }, { "verifyreversemapping", sVerifyReverseMapping },
{ "reversemappingcheck", sVerifyReverseMapping },
{ "clientaliveinterval", sClientAliveInterval }, { "clientaliveinterval", sClientAliveInterval },
{ "clientalivecountmax", sClientAliveCountMax }, { "clientalivecountmax", sClientAliveCountMax },
{ "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile", sAuthorizedKeysFile },
@ -687,8 +688,8 @@ parse_flag:
intptr = &options->gateway_ports; intptr = &options->gateway_ports;
goto parse_flag; goto parse_flag;
case sReverseMappingCheck: case sVerifyReverseMapping:
intptr = &options->reverse_mapping_check; intptr = &options->verify_reverse_mapping;
goto parse_flag; goto parse_flag;
case sLogFacility: case sLogFacility:

View File

@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell". * called by a name other than "ssh" or "Secure Shell".
*/ */
/* RCSID("$OpenBSD: servconf.h,v 1.52 2002/01/27 14:57:46 stevesk Exp $"); */ /* RCSID("$OpenBSD: servconf.h,v 1.53 2002/01/29 14:32:03 markus Exp $"); */
#ifndef SERVCONF_H #ifndef SERVCONF_H
#define SERVCONF_H #define SERVCONF_H
@ -116,7 +116,7 @@ typedef struct {
int max_startups_rate; int max_startups_rate;
int max_startups; int max_startups;
char *banner; /* SSH-2 banner message */ char *banner; /* SSH-2 banner message */
int reverse_mapping_check; /* cross-check ip and dns */ int verify_reverse_mapping; /* cross-check ip and dns */
int client_alive_interval; /* int client_alive_interval; /*
* poke the client this often to * poke the client this often to
* see if it's still there * see if it's still there

View File

@ -33,7 +33,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: session.c,v 1.119 2002/01/27 14:57:46 stevesk Exp $"); RCSID("$OpenBSD: session.c,v 1.120 2002/01/29 14:32:03 markus Exp $");
#include "ssh.h" #include "ssh.h"
#include "ssh1.h" #include "ssh1.h"
@ -717,7 +717,7 @@ do_login(Session *s, const char *command)
/* Record that there was a login on that tty from the remote host. */ /* Record that there was a login on that tty from the remote host. */
record_login(pid, s->tty, pw->pw_name, pw->pw_uid, record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
(struct sockaddr *)&from); (struct sockaddr *)&from);
#ifdef USE_PAM #ifdef USE_PAM
@ -1287,7 +1287,7 @@ do_child(Session *s, const char *command)
/* we have to stash the hostname before we close our socket. */ /* we have to stash the hostname before we close our socket. */
if (options.use_login) if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len, hostname = get_remote_name_or_ip(utmp_len,
options.reverse_mapping_check); options.verify_reverse_mapping);
/* /*
* Close the connection descriptors; note that this is the child, and * Close the connection descriptors; note that this is the child, and
* the server will still have the socket open, and it is important * the server will still have the socket open, and it is important

18
sshd.8
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd.8,v 1.164 2002/01/27 14:57:46 stevesk Exp $ .\" $OpenBSD: sshd.8,v 1.165 2002/01/29 14:32:03 markus Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSHD 8 .Dt SSHD 8
.Os .Os
@ -766,14 +766,6 @@ Specifies whether public key authentication is allowed.
The default is The default is
.Dq yes . .Dq yes .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
.It Cm ReverseMappingCheck
Specifies whether
.Nm
should try to verify the remote host name and check that
the resolved host name for the remote IP address maps back to the
very same IP address.
The default is
.Dq no .
.It Cm RhostsAuthentication .It Cm RhostsAuthentication
Specifies whether authentication using rhosts or /etc/hosts.equiv Specifies whether authentication using rhosts or /etc/hosts.equiv
files is sufficient. files is sufficient.
@ -841,6 +833,14 @@ will be disabled because
does not know how to handle does not know how to handle
.Xr xauth 1 .Xr xauth 1
cookies. cookies.
.It Cm VerifyReverseMapping
Specifies whether
.Nm
should try to verify the remote host name and check that
the resolved host name for the remote IP address maps back to the
very same IP address.
The default is
.Dq no .
.It Cm X11DisplayOffset .It Cm X11DisplayOffset
Specifies the first display number available for Specifies the first display number available for
.Nm sshd Ns 's .Nm sshd Ns 's

View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.45 2002/01/27 14:57:46 stevesk Exp $ # $OpenBSD: sshd_config,v 1.46 2002/01/29 14:32:03 markus Exp $
# This is the sshd server system-wide configuration file. See sshd(8) # This is the sshd server system-wide configuration file. See sshd(8)
# for more information. # for more information.
@ -86,7 +86,7 @@
#MaxStartups 10 #MaxStartups 10
# no default banner path # no default banner path
#Banner /some/path #Banner /some/path
#ReverseMappingCheck no #VerifyReverseMapping no
# override default of no subsystems # override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server Subsystem sftp /usr/libexec/sftp-server