Carson Gaspar
2003-Sep-13 07:19 UTC
Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes
If HostbasedUsesNameFromPacketOnly is set to yes, sshd does not remove the trailing dot from the client supplied hostname, causing sshd to attempt to look up "foo.example.com." (note trailing period) in known_hosts and .shosts instead of "foo.example.com" Trivial patch attached. -- Carson -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: auth2-hostbased.c.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030913/797d8e45/attachment.ksh
Markus Friedl
2003-Sep-13 15:34 UTC
Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes
AFAIK HostbasedUsesNameFromPacketOnly means: use the _exact_ value from the packet. This is why the dot is not removed. Moreover, HostbasedUsesNameFromPacketOnly is not recommended and experimental. The client needs to be changed to have truely random names in the hostbased packets. On Sat, Sep 13, 2003 at 03:19:44AM -0400, Carson Gaspar wrote:> If HostbasedUsesNameFromPacketOnly is set to yes, sshd does not remove > the trailing dot from the client supplied hostname, causing sshd to > attempt to look up "foo.example.com." (note trailing period) in > known_hosts and .shosts instead of "foo.example.com" > > Trivial patch attached. > > -- > Carson> --- auth2-hostbased.c.DIST 2003-09-13 03:05:22.921075000 -0400 > +++ auth2-hostbased.c 2003-09-13 03:06:10.206073000 -0400 > @@ -142,15 +142,15 @@ > debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", > chost, resolvedname, ipaddr); > > + if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { > + debug2("stripping trailing dot from chost %s", chost); > + chost[len - 1] = '\0'; > + } > if (options.hostbased_uses_name_from_packet_only) { > if (auth_rhosts2(pw, cuser, chost, chost) == 0) > return 0; > lookup = chost; > } else { > - if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { > - debug2("stripping trailing dot from chost %s", chost); > - chost[len - 1] = '\0'; > - } > if (strcasecmp(resolvedname, chost) != 0) > logit("userauth_hostbased mismatch: " > "client sends %s, but we resolve %s to %s",> _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
Carson Gaspar
2003-Sep-14 18:00 UTC
Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes
--On Saturday, September 13, 2003 5:34 PM +0200 Markus Friedl <markus at openbsd.org> wrote:> AFAIK HostbasedUsesNameFromPacketOnly means: use the _exact_ > value from the packet. This is why the dot is not > removed. Moreover, HostbasedUsesNameFromPacketOnly is > not recommended and experimental. The client > needs to be changed to have truly random names in > the hostbased packets.WTF? Why would you want random names?! -- Carson
Markus Friedl
2003-Sep-15 08:04 UTC
Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes
On Sun, Sep 14, 2003 at 02:00:25PM -0400, Carson Gaspar wrote:> > > --On Saturday, September 13, 2003 5:34 PM +0200 Markus Friedl > <markus at openbsd.org> wrote: > > >AFAIK HostbasedUsesNameFromPacketOnly means: use the _exact_ > >value from the packet. This is why the dot is not > >removed. Moreover, HostbasedUsesNameFromPacketOnly is > >not recommended and experimental. The client > >needs to be changed to have truly random names in > >the hostbased packets. > > WTF? Why would you want random names?!you might want to use UFQDN as in IKE.