openssh-3.0p1 still contains the bug which I already reported on Sept. 28 2001
for 2.9p2, namely, the trailing dot in chost should be stripped before calling
auth_rhosts2() even with option "HostbasedUsesNameFromPacketOnly yes".
Otherwise, the host names in /etc/hosts.equiv and .rhosts would have to be
dot-terminated. Fix: Move lines 776-779 of auth2.c upwards to after line 767.
(These line numbers also hold for 2.9.9p2.)
*** auth2.c.ORI Wed Oct 3 19:12:44 2001
--- auth2.c Fri Nov 9 10:15:42 2001
***************
*** 765,770 ****
--- 765,774 ----
resolvedname = get_canonical_hostname(options.reverse_mapping_check);
ipaddr = get_remote_ipaddr();
+ if (((len = strlen(chost)) > 0) && chost[len - 1] == '.')
{
+ debug2("stripping trailing dot from chost %s", chost);
+ chost[len - 1] = '\0';
+ }
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
chost, resolvedname, ipaddr);
***************
*** 773,782 ****
return 0;
lookup = chost;
} else {
- if (((len = strlen(chost)) > 0) && chost[len - 1] == '.')
{
- debug2("stripping trailing dot from chost %s", chost);
- chost[len - 1] = '\0';
- }
if (strcasecmp(resolvedname, chost) != 0)
log("userauth_hostbased mismatch: "
"client sends %s, but we resolve %s to %s",
--- 777,782 ----
On Fri, Nov 09, 2001 at 10:23:40AM +0100, Hans Werner Strube wrote:> openssh-3.0p1 still contains the bugis it a bug? we need to use voting to bugzilla.> which I already reported on Sept. 28 2001 > for 2.9p2, namely, the trailing dot in chost should be stripped before calling > auth_rhosts2() even with option "HostbasedUsesNameFromPacketOnly yes". > Otherwise, the host names in /etc/hosts.equiv and .rhosts would have to be > dot-terminated. Fix: Move lines 776-779 of auth2.c upwards to after line 767. > (These line numbers also hold for 2.9.9p2.)1) HostbasedUsesNameFromPacketOnly is experimental and undocumented 2) if HostbasedUsesNameFromPacketOnly is used, then the client can send any opaque 'string' it likes to use, e.g. "markus at openssh.com." or even "...." so sshd should not modify this string. why are you using HostbasedUsesNameFromPacketOnly ? -m
markus> i think hostbased authentication never has been intended for this. markus> especially since rhosts-rsa requires a privileged source port. I don't see how this follows, and I disagree. The privileged source port requirement in SSH-1 was just a holdover from mimicing rsh -- it was never a good idea, it is not essential to the notion of host-based authentication, and it is (properly) not required in SSH-2. Considering the source address in an authentication method should *always* be an optional feature. For one thing, it means the method may be run over a different transport without change (serial line, tunnel of some kind, "ProxyCommand", etc.). Second, an IP address need not be inherent in a host's identity, any more than its MAC address is. The host may be mobile, multihomed, using DHCP, moved from one network to another, its enclosing network renumbered, etc. If you happen to know that a particular client host has a static IP address, and you feel like requiring that as an extra measure of caution, then fine, but I don't think it should ever be a protocol or feature requirement -- just an implementation optional (as with the "host=" option in authorized_keys). -- Richard Silverman slade at shore.net
Possibly Parallel Threads
- openssh-2.9p2, auth2.c
- [PATCH] Strip trailing . when using HostbasedUsesNameFromPacketOnly
- Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes
- Possible security problem in hostbased user authentication?
- Hostbased Authentication Question