bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 08:48 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org, | |simon at sxw.org.uk --- Comment #2 from Damien Miller <djm at mindrot.org> 2007-05-17 18:48:31 --- Simon, do you have an opinion on this bug or the proposed fix? -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 10:25 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 --- Comment #3 from Simon Wilkinson <simon at sxw.org.uk> 2007-05-17 20:25:25 --- I'm not particularly familiar with the ProxyCommand code, or with SSH1 Hostbased auth. The proposed fix does appear to preserve semantics (if the incoming connection is a socket, it must be from the local machine), but I'm not sure whether it is correct to be permitting hostbased auth in those circumstances. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 12:39 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 --- Comment #4 from Damien Miller <djm at mindrot.org> 2007-05-17 22:39:40 --- sorry, in my sleep deprived state I thought this was a Kerberos related bug. Apologies. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 15:54 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 stuart at kaloram.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |stuart at kaloram.com --- Comment #5 from stuart at kaloram.com 2007-05-18 01:54:46 --- This bug is for SSH2 hostbased, and has nothing to do with SSH1 or with kerberos. I think the suggested patch has a bug: if package_connection_is_on_socket() is false and if (gethostname(myname, sizeof(myname)) == -1) { verbose("userauth_hostbased: gethostname: %s", strerror(errno)); } else p = myname; gets executed, p does not point to malloc-ed memory. The subsequent code still calls xfree(p) in this case. -stuart -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 20:48 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Blocks| |1289 --- Comment #6 from Damien Miller <djm at mindrot.org> 2007-05-18 06:48:26 --- Good catch - I inserted a strdup(). Patch has been applied - this will be in 4.7 -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-23 18:51 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 stuart at kaloram.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC|simon at sxw.org.uk | --- Comment #7 from stuart at kaloram.com 2007-05-24 04:51:00 --- Upon further testing, I do not think that the suggested patch fixes the problem. ssh-keysign.c also contains logic that uses get_local_name() to get the FQDN of the host from the socket. I think that needs to be updated as well. It may be better to put the gethostname() fallback logic in get_local_name(), since it is only used in sshconnect2.c and ssh-keysign.c. Also, I think the gethostname() fallback logic needs to be augmented to make sure that the value returned is converted to a fully qualified host name. On many systems gethostname() returns an unqualified hostname, and RFC 4252 requires that a FQDN be used for hostbased authentication. My testing has been done on openssh-4.6p1 with the patch applied. I'm having some trouble getting the latest version from CVS to build, so I'm not certain the problems I'm seeing still exist, but the relevent code looks the same. Even with the above changes there is still something going on that I don't quite understand. It seems to be related to whether or not a "." is appended to the FQDN. I'm not reopening this bug because I haven't been able to test with the latest CVS build, but I think it should be looked at more carefully to make sure that it really works before the patch is included in openssh-4.7. -stuart -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-25 18:30 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 stuart at kaloram.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #887 is|0 |1 obsolete| | --- Comment #8 from stuart at kaloram.com 2007-05-26 04:30:03 --- Created an attachment (id=1297) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1297) Patch to make hostbased authentication work with proxy command. See bug #616. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-25 18:31 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 --- Comment #9 from stuart at kaloram.com 2007-05-26 04:31:49 --- Here is a patch for hostbased authentication with proxy command that seems to work. It includes as a subset the patch that Richard Silverman submitted in bug #1200 (sshd does not strip trailing dot from client hostname with HostbasedUsesNameFromPacketOnly). This change seems to be required to get signatures to verify. It also updates canohost.c:get_local_name() so that it falls back to gethostname(2) if getsockname(2) fails. It removes the gethostname(2) logic that Damien Miller added to sshconnect2.c, since that's no longer necessary. The patch is against the most recent CVS source. With this patch, I am able to get hostbased authentication working with a proxycommand like ssh proxyhost nc -w 5 %h %p provided the destination server has HostbasedUsesNameFromPacketOnly enabled. Without HostbasedUsesNameFromPacketOnly the server attempts to use the host key for proxyhost instead of the client host because that's where it sees the TCP connection coming from. I don't claim to be enough of an expert on ssh internals to know whether I might have introduced any security holes or incompatibilities with previous versions. Someone should vet this patch carefully. -stuart -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
Maybe Matching Threads
- [Bug 616] proxycommand breaks hostbased authentication.
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- Possible security problem in hostbased user authentication?
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes