(I am sorry to bother the list with something I should have verified myself right now - I simply do not have access to the source code here) Thinking of some limit I wanted to put with authentication, I am wondering - when Dovecot authenticates a user using PAM, now that (in 1.0) it passes the rhost item to PAM, it passes a hostname, not an IP address. Does it double-verify the DNS record before it trusts this to be the hostname (first checking the IP address in in_addr.arpa and then checking that the hostname indeed maps back to the same IP address)? That is necessary in order to trust the client address when determining authentication strength in the PAM module based on the client location (specifically we want stronger authentication when the client comes outside of our network, while inside a plain password suffices), as else anybody could "spoof" the hostname by changing the IN PTR record of his IP address to point back to some "trusted" hostname (given he has control of the DNS zone his host is in, which is completely possible given the server knows nothing about it). Thanks, -- Tom -- Tom Alsberg - hacker (being the best description fitting this space) Web page: http://www.cs.huji.ac.il/~alsbergt/ DISCLAIMER: The above message does not even necessarily represent what my fingers have typed on the keyboard, save anything further.
Tom Alsberg wrote:> Does it double-verify the DNS record before it trusts > this to be the hostname (first checking the IP address in > in_addr.arpa and then checking that the hostname indeed maps back to > the same IP address)? >Actually, this level of paranoia is not useful, since it will fail to correctly operate in the very real case of co-hosted boxes. There can only be (in practice) a single mapping from IP => hostname (via in-addr.arpa), but there can be virtually limitless hostname => IP maps. There were a few SMTP servers which supported "round-trip DNS checks" but by now, hopefully, the sysadmins running those boxes have been killed off by the userbase eager to actually receive e-mail. If PAM authentication supports different schemes based on source IP address, that is the best you can hope for. The only trustworthy value in a point-to-point TCP connection is IP (since it is impossible to spoof that due to the need to be able to get the response packets back later). John -- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
On Mon, 2005-09-26 at 22:24 +0300, Tom Alsberg wrote:> Thinking of some limit I wanted to put with authentication, I am > wondering - when Dovecot authenticates a user using PAM, now that > (in 1.0) it passes the rhost item to PAM, it passes a hostname, not > an IP address.You're looking at it wrong somehow. Dovecot doesn't do DNS lookups anywhere (and I hope to avoid it as long as possible). The code to set rhost looks like: #ifdef PAM_RHOST const char *host = net_ip2addr(&request->remote_ip); if (host != NULL) pam_set_item(pamh, PAM_RHOST, host); #endif -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20050927/52c6afae/attachment.bin>