bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 08:48 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org,
| |simon at sxw.org.uk
--- Comment #2 from Damien Miller <djm at mindrot.org> 2007-05-17
18:48:31 ---
Simon, do you have an opinion on this bug or the proposed fix?
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 10:25 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 --- Comment #3 from Simon Wilkinson <simon at sxw.org.uk> 2007-05-17 20:25:25 --- I'm not particularly familiar with the ProxyCommand code, or with SSH1 Hostbased auth. The proposed fix does appear to preserve semantics (if the incoming connection is a socket, it must be from the local machine), but I'm not sure whether it is correct to be permitting hostbased auth in those circumstances. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 12:39 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616 --- Comment #4 from Damien Miller <djm at mindrot.org> 2007-05-17 22:39:40 --- sorry, in my sleep deprived state I thought this was a Kerberos related bug. Apologies. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 15:54 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616
stuart at kaloram.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |stuart at kaloram.com
--- Comment #5 from stuart at kaloram.com 2007-05-18 01:54:46 ---
This bug is for SSH2 hostbased, and has nothing to do with SSH1 or with
kerberos.
I think the suggested patch has a bug: if
package_connection_is_on_socket()
is false and
if (gethostname(myname, sizeof(myname)) == -1) {
verbose("userauth_hostbased: gethostname: %s",
strerror(errno));
} else
p = myname;
gets executed, p does not point to malloc-ed memory. The subsequent
code still calls xfree(p) in this case.
-stuart
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-17 20:48 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
Blocks| |1289
--- Comment #6 from Damien Miller <djm at mindrot.org> 2007-05-18
06:48:26 ---
Good catch - I inserted a strdup(). Patch has been applied - this will
be in 4.7
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-23 18:51 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616
stuart at kaloram.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|simon at sxw.org.uk |
--- Comment #7 from stuart at kaloram.com 2007-05-24 04:51:00 ---
Upon further testing, I do not think that the suggested patch fixes the
problem.
ssh-keysign.c also contains logic that uses get_local_name() to get the
FQDN
of the host from the socket. I think that needs to be updated as well.
It may
be better to put the gethostname() fallback logic in get_local_name(),
since it
is only used in sshconnect2.c and ssh-keysign.c.
Also, I think the gethostname() fallback logic needs to be augmented to
make
sure that the value returned is converted to a fully qualified host
name. On
many systems gethostname() returns an unqualified hostname, and RFC
4252
requires that a FQDN be used for hostbased authentication.
My testing has been done on openssh-4.6p1 with the patch applied. I'm
having
some trouble getting the latest version from CVS to build, so I'm not
certain
the problems I'm seeing still exist, but the relevent code looks the
same.
Even with the above changes there is still something going on that I
don't quite
understand. It seems to be related to whether or not a "." is
appended
to the
FQDN.
I'm not reopening this bug because I haven't been able to test with the
latest CVS
build, but I think it should be looked at more carefully to make sure
that it really
works before the patch is included in openssh-4.7.
-stuart
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-25 18:30 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616
stuart at kaloram.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #887 is|0 |1
obsolete| |
--- Comment #8 from stuart at kaloram.com 2007-05-26 04:30:03 ---
Created an attachment (id=1297)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1297)
Patch to make hostbased authentication work with proxy command.
See bug #616.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-25 18:31 UTC
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616
--- Comment #9 from stuart at kaloram.com 2007-05-26 04:31:49 ---
Here is a patch for hostbased authentication with proxy command
that seems to work. It includes as a subset the patch that Richard
Silverman submitted in bug #1200 (sshd does not strip trailing dot
from client hostname with HostbasedUsesNameFromPacketOnly).
This change seems to be required to get signatures to verify.
It also updates canohost.c:get_local_name() so that it falls back
to gethostname(2) if getsockname(2) fails.
It removes the gethostname(2) logic that Damien Miller added to
sshconnect2.c, since that's no longer necessary.
The patch is against the most recent CVS source.
With this patch, I am able to get hostbased authentication working
with a proxycommand like
ssh proxyhost nc -w 5 %h %p
provided the destination server has HostbasedUsesNameFromPacketOnly
enabled. Without HostbasedUsesNameFromPacketOnly the server
attempts to use the host key for proxyhost instead of the client host
because that's where it sees the TCP connection coming from.
I don't claim to be enough of an expert on ssh internals to know
whether
I might have introduced any security holes or incompatibilities with
previous versions. Someone should vet this patch carefully.
-stuart
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Apparently Analagous Threads
- [Bug 616] proxycommand breaks hostbased authentication.
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- Possible security problem in hostbased user authentication?
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes