search for: verify_reverse_mapping

Hi SSH developers, I am wondering if someone could help explain a behavior of sshd. From canohost.c, get_remote_hostname(), it seems sshd will always try to reverse lookup the ip address of any client that attaches to it. The verify_reverse_mapping flag just turns off the forward lookup through DNS of the clients hostname, once the hostname has been determined. I am using Solaris 8 with ssh 3.4p1, and this piece of code: debug3("Trying to reverse map address %.100s.", ntop); /* Map the IP address to a host name. */...

...05:24:06 -0000 1.67 +++ auth.c 25 Feb 2003 09:52:31 -0000 @@ -268,13 +268,10 @@ get_remote_port(), info); -#ifdef WITH_AIXAUTHENTICATE if (authenticated == 0 && strcmp(method, "password") == 0) - loginfailed(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - + record_failed_login(authctxt->user, + get_canonical_hostname(options.verify_reverse_mapping), + "ssh"); } /* @@ -496,11 +493,9 @@ if (pw == NULL) { log("Illegal user %.100s from %.100s",...

...05:24:06 -0000 1.67 +++ auth.c 25 Feb 2003 09:52:31 -0000 @@ -268,13 +268,10 @@ get_remote_port(), info); -#ifdef WITH_AIXAUTHENTICATE if (authenticated == 0 && strcmp(method, "password") == 0) - loginfailed(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - + record_failed_login(authctxt->user, + get_canonical_hostname(options.verify_reverse_mapping), + "ssh"); } /* @@ -496,11 +493,9 @@ if (pw == NULL) { log("Illegal user %.100s from %.100s",...

...; > > -extern int errno; > - > int > auth_sia_password(Authctxt *authctxt, char *pass) > { > int ret; > SIAENTITY *ent = NULL; > const char *host; > - char *user = authctxt->user; > > host = get_canonical_hostname(options.verify_reverse_mapping); > > - if (!user || !pass || pass[0] == '\0') > + if (!authctxt->user || !pass || pass[0] == '\0') > return(0); > > - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, > - NULL) != SIASUCCESS) > + if (sia_s...

...05:24:06 -0000 1.67 +++ auth.c 27 Jan 2003 11:39:07 -0000 @@ -268,13 +268,11 @@ get_remote_port(), info); -#ifdef WITH_AIXAUTHENTICATE - if (authenticated == 0 && strcmp(method, "password") == 0) - loginfailed(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - + if (geteuid() == 0 && authenticated == 0 && + strcmp(method, "password") == 0) + record_failed_login(authctxt->user, + get_canonical_hostname(options.verify_reverse_mapping), + "ssh"...

...19:46:17 2003 @@ -45,27 +45,25 @@ extern int saved_argc; extern char **saved_argv; -extern int errno; - int auth_sia_password(Authctxt *authctxt, char *pass) { int ret; SIAENTITY *ent = NULL; const char *host; - char *user = authctxt->user; host = get_canonical_hostname(options.verify_reverse_mapping); - if (pass[0] == '\0') + if (!authctxt->user || !pass || pass[0] == '\0') return(0); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, - NULL) != SIASUCCESS) + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, + N...

...(void)printf("Permission denied.\n"); log( "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", pw->pw_name, get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping), s->tty); exit(254); } #endif /* HAVE_LOGIN_CAP */

http://bugzilla.mindrot.org/show_bug.cgi?id=312 ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:07 ------- why is it required? i don't see any canohost.h functions in those files. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...ULL; +#endif /* CHROOT */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -1187,6 +1197,26 @@ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +#ifdef CHROOT + + if (options.num_chroot_users > 0) { + hostname = get_canonical_hostname(options.verify_reverse_mapping); + ipaddr = get_remote_ipaddr(); + for (i = 0; i < options.num_chroot_users; i++) { + if (match_user(pw->pw_name, hostname, ipaddr, + options.chroot_users[i])) { + if(chroot(pw->pw_dir) != 0) { + fatal("Couldn't chroot to user directory %s", +...

sorry, Darren. Long over due comments. [..] >+/* Record a failed login attempt. */ >+void >+record_failed_login(const char *user, const char *host, const char *ttyname) >+{ >+#ifdef WITH_AIXAUTHENTICATE >+ loginfailed(user, host, ttyname); >+#endif >+#ifdef _UNICOS >+ cray_login_failure((char *)user, IA_UDBERR); >+#endif /* _UNICOS */ >+} I like the

I am having difficulties compiling openssh3.6p2 under AIX 5.2. I grabbed the latest from the contrib section from openssh.com, applied passexpire19.patch successfully and configure --prefix=/opt/freeware/ --with xauth=/usr/bin/X11/xauth. i get the following @ the end of the make: In file included from auth.c:41: /usr/include/usersec.h:656: warning: `struct aud_rec' declared inside parameter

...) + if (authsuccess) { + char *msg; + + debug("authenticate() succeeded for user %s: %.100s", pw->pw_name, authmsg); /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh", &aixloginmsg) < 0) - aixloginmsg = NULL; + get_canonical_hostname(options.verify_reverse_mapping), + "ssh", &msg) < 0) + msg = NULL; + buffer_append(&login_message, msg, strlen(msg)); + } else { + debug("authenticate() failed...

...-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) diff -urN openssh-3.1p1.old/canohost.c openssh-3.1p1/canohost.c --- openssh-3.1p1.old/canohost.c Mon Mar 4 20:31:29 2002 +++ openssh-3.1p1/canohost.c Tue Apr 9 21:05:15 2002 @@ -284,9 +284,11 @@ get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping) { static const char *remote = ""; - if (utmp_len > 0) + /* Assume that if utmp_len = -1 then there is no limit on the + hostname length */ + if (utmp_len > 0 || utmp_len == -1) remote = get_canonical_hostname(verify_reverse_mapping); - if (utmp_len == 0 || strlen(remote) >...

...nohost.c 11 Jul 2002 03:56:47 -0000 1.30 +++ canohost.c 2 Aug 2002 12:13:37 -0000 @@ -90,7 +90,7 @@ get_remote_hostname(int socket, int veri * of this software). */ for (i = 0; name[i]; i++) - if (isupper(name[i])) + if (isupper((unsigned)name[i])) name[i] = tolower(name[i]); if (!verify_reverse_mapping) Index: clientloop.c =================================================================== RCS file: /cvs/openssh/clientloop.c,v retrieving revision 1.87 diff -u -p -r1.87 clientloop.c --- clientloop.c 4 Jul 2002 00:14:18 -0000 1.87 +++ clientloop.c 2 Aug 2002 12:13:38 -0000 @@ -485,7 +485,7 @@ proce...

...--- auth-sia.c 12 Apr 2002 15:36:08 -0000 1.7 +++ auth-sia.c 29 Jun 2002 03:19:18 -0000 @@ -77,7 +77,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +99,22 @@ } ent->authtype = SIA...

...--- auth-sia.c 12 Apr 2002 15:36:08 -0000 1.7 +++ auth-sia.c 28 Jun 2002 20:29:00 -0000 @@ -77,7 +77,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +99,22 @@ } ent->authtype = SIA...

...nt saved_argc; extern char **saved_argv; +extern int use_privsep; extern int errno; @@ -77,7 +79,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +88,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +101,24 @@ } ent->authtype = SI...

...committed. > > > > but there should be no DNS lookups in the unprivileged code... > > This is on FreeBSD-4.6-STABLE using the openssh-portable port (which is > 3.4p1) The backtrace of the offending DNS lookup is > > #0 0x8061450 in get_remote_hostname (socket=5, > verify_reverse_mapping=0) at canohost.c:81 > #1 0x8061714 in get_canonical_hostname (verify_reverse_mapping=0) at > canohost.c:194 > #2 0x8050021 in input_userauth_request (type=50, seq=5, ctxt=0x80990c0) > at auth2.c:147 > #3 0x8067fcf in dispatch_run (mode=0, done=0x80990c0, ctxt=0x80990c0) > at di...

...true. + */ +int auth_allowed_user(struct passwd *pw, Authaccess access) +{ + const char *hostname = NULL, *ipaddr = NULL; + int i; + + if (!pw || !pw->pw_name) + return 0; + + if (access.num_deny_users > 0 || access.num_allow_users > 0) { + hostname = get_canonical_hostname(options.verify_reverse_mapping); + ipaddr = get_remote_ipaddr(); + } + + /* Return false if user is listed in DenyUsers */ + if (access.num_deny_users > 0) { + for (i = 0; i < access.num_deny_users; i++) + if (match_user(pw->pw_name, hostname, ipaddr, + access.deny_users[i])) + return 0; + } + + /* R...

...mp;ttyfd, s->tty); + + /* without privsep, chauthtok requires a controlling tty */ + if (!use_privsep) + do_pam_chauthtok(); + + /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) { @@ -746,16 +760,6 @@ options.verify_reverse_mapping), (struct sockaddr *)&from, fromlen); -#ifdef USE_PAM - /* - * If password change is needed, do it now. - * This needs to occur before the ~/.hushlogin check. - */ - if (is_pam_password_change_required()) { - print_pam_messages(); - do_pam_chauthtok(); - } -#endif if (check_qu...