Attachment #689376 for bug #774177

View | Details | Raw Unified | Return to bug 774177
Collapse All | Expand All




	return (&fake);
}

/*
 * Returns the remote DNS hostname as a string. The returned string must not
 * be freed. NB. this will usually trigger a DNS query the first time it is
 * called.
 * This function does additional checks on the hostname to mitigate some
 * attacks on legacy rhosts-style authentication.
 * XXX is RhostsRSAAuthentication vulnerable to these?
 * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
 */

static char *
remote_hostname(struct ssh *ssh)
{
	struct sockaddr_storage from;
	socklen_t fromlen;
	struct addrinfo hints, *ai, *aitop;
	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
	const char *ntop = ssh_remote_ipaddr(ssh);

	/* Get IP address of client. */
	fromlen = sizeof(from);
	memset(&from, 0, sizeof(from));
	if (getpeername(ssh_packet_get_connection_in(ssh),
	    (struct sockaddr *)&from, &fromlen) == -1) {
		debug("getpeername failed: %.100s", strerror(errno));
		return xstrdup(ntop);
	}

	ipv64_normalise_mapped(&from, &fromlen);
	if (from.ss_family == AF_INET6)
		fromlen = sizeof(struct sockaddr_in6);

	debug3("Trying to reverse map address %.100s.", ntop);
	/* Map the IP address to a host name. */
	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
	    NULL, 0, NI_NAMEREQD) != 0) {
		/* Host name not found.  Use ip address. */
		return xstrdup(ntop);
	}

	/*
	 * if reverse lookup result looks like a numeric hostname,
	 * someone is trying to trick us by PTR record like following:
	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
	 */
	memset(&hints, 0, sizeof(hints));
	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
	hints.ai_flags = AI_NUMERICHOST;
	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
		    name, ntop);
		freeaddrinfo(ai);
		return xstrdup(ntop);
	}

	/* Names are stored in lowercase. */
	lowercase(name);

	/*
	 * Map it back to an IP address and check that the given
	 * address actually is an address of this host.  This is
	 * necessary because anyone with access to a name server can
	 * define arbitrary names for an IP address. Mapping from
	 * name to IP address can be trusted better (but can still be
	 * fooled if the intruder has access to the name server of
	 * the domain).
	 */
	memset(&hints, 0, sizeof(hints));
	hints.ai_family = from.ss_family;
	hints.ai_socktype = SOCK_STREAM;
	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
		logit("reverse mapping checking getaddrinfo for %.700s "
		    "[%s] failed.", name, ntop);
		return xstrdup(ntop);
	}
	/* Look for the address from the list of addresses. */
	for (ai = aitop; ai; ai = ai->ai_next) {
		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
		    (strcmp(ntop, ntop2) == 0))
				break;
	}
	freeaddrinfo(aitop);
	/* If we reached the end of the list, the address was not there. */
	if (ai == NULL) {
		/* Address not found for the host name. */
		logit("Address %.100s maps to %.600s, but this does not "
		    "map back to the address.", ntop, name);
		return xstrdup(ntop);
	}
	return xstrdup(name);
}

/*
 * Return the canonical name of the host in the other side of the current
 * connection.  The host name is cached, so it is efficient to call this
 * several times.
 */

const char *
auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
{
	static char *dnsname;

	if (!use_dns)
		return ssh_remote_ipaddr(ssh);
	else if (dnsname != NULL)
		return dnsname;
	else {
		dnsname = remote_hostname(ssh);
		return dnsname;
	}
}

/* These functions link key/cert options to the auth framework */





{
	return get_sock_port(sock, 1);
}

/*
 * Returns the remote DNS hostname as a string. The returned string must not
 * be freed. NB. this will usually trigger a DNS query the first time it is
 * called.
 * This function does additional checks on the hostname to mitigate some
 * attacks on legacy rhosts-style authentication.
 * XXX is RhostsRSAAuthentication vulnerable to these?
 * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
 */

static char *
remote_hostname(struct ssh *ssh)
{
	struct sockaddr_storage from;
	socklen_t fromlen;
	struct addrinfo hints, *ai, *aitop;
	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
	const char *ntop = ssh_remote_ipaddr(ssh);

	/* Get IP address of client. */
	fromlen = sizeof(from);
	memset(&from, 0, sizeof(from));
	if (getpeername(ssh_packet_get_connection_in(ssh),
	    (struct sockaddr *)&from, &fromlen) == -1) {
		debug("getpeername failed: %.100s", strerror(errno));
		return xstrdup(ntop);
	}

	ipv64_normalise_mapped(&from, &fromlen);
	if (from.ss_family == AF_INET6)
		fromlen = sizeof(struct sockaddr_in6);

	debug3("Trying to reverse map address %.100s.", ntop);
	/* Map the IP address to a host name. */
	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
	    NULL, 0, NI_NAMEREQD) != 0) {
		/* Host name not found.  Use ip address. */
		return xstrdup(ntop);
	}

	/*
	 * if reverse lookup result looks like a numeric hostname,
	 * someone is trying to trick us by PTR record like following:
	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
	 */
	memset(&hints, 0, sizeof(hints));
	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
	hints.ai_flags = AI_NUMERICHOST;
	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
		    name, ntop);
		freeaddrinfo(ai);
		return xstrdup(ntop);
	}

	/* Names are stored in lowercase. */
	lowercase(name);

	/*
	 * Map it back to an IP address and check that the given
	 * address actually is an address of this host.  This is
	 * necessary because anyone with access to a name server can
	 * define arbitrary names for an IP address. Mapping from
	 * name to IP address can be trusted better (but can still be
	 * fooled if the intruder has access to the name server of
	 * the domain).
	 */
	memset(&hints, 0, sizeof(hints));
	hints.ai_family = from.ss_family;
	hints.ai_socktype = SOCK_STREAM;
	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
		logit("reverse mapping checking getaddrinfo for %.700s "
		    "[%s] failed.", name, ntop);
		return xstrdup(ntop);
	}
	/* Look for the address from the list of addresses. */
	for (ai = aitop; ai; ai = ai->ai_next) {
		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
		    (strcmp(ntop, ntop2) == 0))
				break;
	}
	freeaddrinfo(aitop);
	/* If we reached the end of the list, the address was not there. */
	if (ai == NULL) {
		/* Address not found for the host name. */
		logit("Address %.100s maps to %.600s, but this does not "
		    "map back to the address.", ntop, name);
		return xstrdup(ntop);
	}
	return xstrdup(name);
}

/*
 * Return the canonical name of the host in the other side of the current
 * connection.  The host name is cached, so it is efficient to call this
 * several times.
 */

const char *
auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
{
	static char *dnsname;

	if (!use_dns)
		return ssh_remote_ipaddr(ssh);
	else if (dnsname != NULL)
		return dnsname;
	else {
		dnsname = remote_hostname(ssh);
		return dnsname;
	}
}

Return to bug 774177

Lines 727-845 fakepw(void) Link Here

(-)openssh-8.5p1/auth.c.dist (-113 lines)
727	return (&fake);	727	return (&fake);
728	}	728	}
729		729
730	/*
731	* Returns the remote DNS hostname as a string. The returned string must not
732	* be freed. NB. this will usually trigger a DNS query the first time it is
733	* called.
734	* This function does additional checks on the hostname to mitigate some
735	* attacks on legacy rhosts-style authentication.
736	* XXX is RhostsRSAAuthentication vulnerable to these?
737	* XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
738	*/
739
740	static char *
741	remote_hostname(struct ssh *ssh)
742	{
743	struct sockaddr_storage from;
744	socklen_t fromlen;
745	struct addrinfo hints, ai, aitop;
746	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
747	const char *ntop = ssh_remote_ipaddr(ssh);
748
749	/* Get IP address of client. */
750	fromlen = sizeof(from);
751	memset(&from, 0, sizeof(from));
752	if (getpeername(ssh_packet_get_connection_in(ssh),
753	(struct sockaddr *)&from, &fromlen) == -1) {
754	debug("getpeername failed: %.100s", strerror(errno));
755	return xstrdup(ntop);
756	}
757
758	ipv64_normalise_mapped(&from, &fromlen);
759	if (from.ss_family == AF_INET6)
760	fromlen = sizeof(struct sockaddr_in6);
761
762	debug3("Trying to reverse map address %.100s.", ntop);
763	/* Map the IP address to a host name. */
764	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
765	NULL, 0, NI_NAMEREQD) != 0) {
766	/* Host name not found. Use ip address. */
767	return xstrdup(ntop);
768	}
769
770	/*
771	* if reverse lookup result looks like a numeric hostname,
772	* someone is trying to trick us by PTR record like following:
773	* 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
774	*/
775	memset(&hints, 0, sizeof(hints));
776	hints.ai_socktype = SOCK_DGRAM; /dummy/
777	hints.ai_flags = AI_NUMERICHOST;
778	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
779	logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
780	name, ntop);
781	freeaddrinfo(ai);
782	return xstrdup(ntop);
783	}
784
785	/* Names are stored in lowercase. */
786	lowercase(name);
787
788	/*
789	* Map it back to an IP address and check that the given
790	* address actually is an address of this host. This is
791	* necessary because anyone with access to a name server can
792	* define arbitrary names for an IP address. Mapping from
793	* name to IP address can be trusted better (but can still be
794	* fooled if the intruder has access to the name server of
795	* the domain).
796	*/
797	memset(&hints, 0, sizeof(hints));
798	hints.ai_family = from.ss_family;
799	hints.ai_socktype = SOCK_STREAM;
800	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
801	logit("reverse mapping checking getaddrinfo for %.700s "
802	"[%s] failed.", name, ntop);
803	return xstrdup(ntop);
804	}
805	/* Look for the address from the list of addresses. */
806	for (ai = aitop; ai; ai = ai->ai_next) {
807	if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
808	sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
809	(strcmp(ntop, ntop2) == 0))
810	break;
811	}
812	freeaddrinfo(aitop);
813	/* If we reached the end of the list, the address was not there. */
814	if (ai == NULL) {
815	/* Address not found for the host name. */
816	logit("Address %.100s maps to %.600s, but this does not "
817	"map back to the address.", ntop, name);
818	return xstrdup(ntop);
819	}
820	return xstrdup(name);
821	}
822
823	/*
824	* Return the canonical name of the host in the other side of the current
825	* connection. The host name is cached, so it is efficient to call this
826	* several times.
827	*/
828
829	const char *
830	auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
831	{
832	static char *dnsname;
833
834	if (!use_dns)
835	return ssh_remote_ipaddr(ssh);
836	else if (dnsname != NULL)
837	return dnsname;
838	else {
839	dnsname = remote_hostname(ssh);
840	return dnsname;
841	}
842	}
843		730
844	/* These functions link key/cert options to the auth framework */	731	/* These functions link key/cert options to the auth framework */
845		732

Lines 202-204 get_local_port(int sock) Link Here

(-)openssh-8.5p1/canohost.c.dist (+114 lines)
202	{	202	{
203	return get_sock_port(sock, 1);	203	return get_sock_port(sock, 1);
204	}	204	}
		205
		206	/*
		207	* Returns the remote DNS hostname as a string. The returned string must not
		208	* be freed. NB. this will usually trigger a DNS query the first time it is
		209	* called.
		210	* This function does additional checks on the hostname to mitigate some
		211	* attacks on legacy rhosts-style authentication.
		212	* XXX is RhostsRSAAuthentication vulnerable to these?
		213	* XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
		214	*/
		215
		216	static char *
		217	remote_hostname(struct ssh *ssh)
		218	{
		219	struct sockaddr_storage from;
		220	socklen_t fromlen;
		221	struct addrinfo hints, ai, aitop;
		222	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
		223	const char *ntop = ssh_remote_ipaddr(ssh);
		224
		225	/* Get IP address of client. */
		226	fromlen = sizeof(from);
		227	memset(&from, 0, sizeof(from));
		228	if (getpeername(ssh_packet_get_connection_in(ssh),
		229	(struct sockaddr *)&from, &fromlen) == -1) {
		230	debug("getpeername failed: %.100s", strerror(errno));
		231	return xstrdup(ntop);
		232	}
		233
		234	ipv64_normalise_mapped(&from, &fromlen);
		235	if (from.ss_family == AF_INET6)
		236	fromlen = sizeof(struct sockaddr_in6);
		237
		238	debug3("Trying to reverse map address %.100s.", ntop);
		239	/* Map the IP address to a host name. */
		240	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
		241	NULL, 0, NI_NAMEREQD) != 0) {
		242	/* Host name not found. Use ip address. */
		243	return xstrdup(ntop);
		244	}
		245
		246	/*
		247	* if reverse lookup result looks like a numeric hostname,
		248	* someone is trying to trick us by PTR record like following:
		249	* 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
		250	*/
		251	memset(&hints, 0, sizeof(hints));
		252	hints.ai_socktype = SOCK_DGRAM; /dummy/
		253	hints.ai_flags = AI_NUMERICHOST;
		254	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
		255	logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
		256	name, ntop);
		257	freeaddrinfo(ai);
		258	return xstrdup(ntop);
		259	}
		260
		261	/* Names are stored in lowercase. */
		262	lowercase(name);
		263
		264	/*
		265	* Map it back to an IP address and check that the given
		266	* address actually is an address of this host. This is
		267	* necessary because anyone with access to a name server can
		268	* define arbitrary names for an IP address. Mapping from
269	* name to IP address can be trusted better (but can still be
270	* fooled if the intruder has access to the name server of
271	* the domain).
272	*/
273	memset(&hints, 0, sizeof(hints));
274	hints.ai_family = from.ss_family;
275	hints.ai_socktype = SOCK_STREAM;
276	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
277	logit("reverse mapping checking getaddrinfo for %.700s "
278	"[%s] failed.", name, ntop);
279	return xstrdup(ntop);
280	}
281	/* Look for the address from the list of addresses. */
282	for (ai = aitop; ai; ai = ai->ai_next) {
283	if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
284	sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
285	(strcmp(ntop, ntop2) == 0))
286	break;
287	}
288	freeaddrinfo(aitop);
289	/* If we reached the end of the list, the address was not there. */
290	if (ai == NULL) {
291	/* Address not found for the host name. */
292	logit("Address %.100s maps to %.600s, but this does not "
293	"map back to the address.", ntop, name);
294	return xstrdup(ntop);
295	}
296	return xstrdup(name);
297	}
298
299	/*
300	* Return the canonical name of the host in the other side of the current
301	* connection. The host name is cached, so it is efficient to call this
302	* several times.
303	*/
304
305	const char *
306	auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
307	{
308	static char *dnsname;
309
310	if (!use_dns)
311	return ssh_remote_ipaddr(ssh);
312	else if (dnsname != NULL)
313	return dnsname;
314	else {
315	dnsname = remote_hostname(ssh);
316	return dnsname;
317	}
318	}