Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 689376 Details for
Bug 774177
net-misc/openssh-8.5_p1[kerberos]: fails to compile with undefined reference to `auth_get_canonical_hostname'
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
keep_moving_auth_get_canonical_hostname_to_canohost.patch
keep_moving_auth_get_canonical_hostname_to_canohost.patch (text/plain), 7.97 KB, created by
Daniel Pouzzner
on 2021-03-04 18:56:16 UTC
(
hide
)
Description:
keep_moving_auth_get_canonical_hostname_to_canohost.patch
Filename:
MIME Type:
Creator:
Daniel Pouzzner
Created:
2021-03-04 18:56:16 UTC
Size:
7.97 KB
patch
obsolete
># 20210304 can't build net-misc/openssh-8.5_p1 without patching -- ># /usr/portage/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch moved remote_hostname() and auth_get_canonical_hostname() ># from auth.c to canohost.c, so that they are included in libssh.a, but ># /usr/portage/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch leaves them in auth.c, ># which isn't part of libssh.a, so that linking ssh-keysign fails. > >--- openssh-8.5p1/auth.c.dist 2021-03-02 04:31:47.000000000 -0600 >+++ openssh-8.5p1/auth.c 2021-03-04 11:22:44.590041696 -0600 >@@ -727,119 +727,6 @@ fakepw(void) > return (&fake); > } > >-/* >- * Returns the remote DNS hostname as a string. The returned string must not >- * be freed. NB. this will usually trigger a DNS query the first time it is >- * called. >- * This function does additional checks on the hostname to mitigate some >- * attacks on legacy rhosts-style authentication. >- * XXX is RhostsRSAAuthentication vulnerable to these? >- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) >- */ >- >-static char * >-remote_hostname(struct ssh *ssh) >-{ >- struct sockaddr_storage from; >- socklen_t fromlen; >- struct addrinfo hints, *ai, *aitop; >- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; >- const char *ntop = ssh_remote_ipaddr(ssh); >- >- /* Get IP address of client. */ >- fromlen = sizeof(from); >- memset(&from, 0, sizeof(from)); >- if (getpeername(ssh_packet_get_connection_in(ssh), >- (struct sockaddr *)&from, &fromlen) == -1) { >- debug("getpeername failed: %.100s", strerror(errno)); >- return xstrdup(ntop); >- } >- >- ipv64_normalise_mapped(&from, &fromlen); >- if (from.ss_family == AF_INET6) >- fromlen = sizeof(struct sockaddr_in6); >- >- debug3("Trying to reverse map address %.100s.", ntop); >- /* Map the IP address to a host name. */ >- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), >- NULL, 0, NI_NAMEREQD) != 0) { >- /* Host name not found. Use ip address. */ >- return xstrdup(ntop); >- } >- >- /* >- * if reverse lookup result looks like a numeric hostname, >- * someone is trying to trick us by PTR record like following: >- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 >- */ >- memset(&hints, 0, sizeof(hints)); >- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ >- hints.ai_flags = AI_NUMERICHOST; >- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { >- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", >- name, ntop); >- freeaddrinfo(ai); >- return xstrdup(ntop); >- } >- >- /* Names are stored in lowercase. */ >- lowercase(name); >- >- /* >- * Map it back to an IP address and check that the given >- * address actually is an address of this host. This is >- * necessary because anyone with access to a name server can >- * define arbitrary names for an IP address. Mapping from >- * name to IP address can be trusted better (but can still be >- * fooled if the intruder has access to the name server of >- * the domain). >- */ >- memset(&hints, 0, sizeof(hints)); >- hints.ai_family = from.ss_family; >- hints.ai_socktype = SOCK_STREAM; >- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { >- logit("reverse mapping checking getaddrinfo for %.700s " >- "[%s] failed.", name, ntop); >- return xstrdup(ntop); >- } >- /* Look for the address from the list of addresses. */ >- for (ai = aitop; ai; ai = ai->ai_next) { >- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, >- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && >- (strcmp(ntop, ntop2) == 0)) >- break; >- } >- freeaddrinfo(aitop); >- /* If we reached the end of the list, the address was not there. */ >- if (ai == NULL) { >- /* Address not found for the host name. */ >- logit("Address %.100s maps to %.600s, but this does not " >- "map back to the address.", ntop, name); >- return xstrdup(ntop); >- } >- return xstrdup(name); >-} >- >-/* >- * Return the canonical name of the host in the other side of the current >- * connection. The host name is cached, so it is efficient to call this >- * several times. >- */ >- >-const char * >-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) >-{ >- static char *dnsname; >- >- if (!use_dns) >- return ssh_remote_ipaddr(ssh); >- else if (dnsname != NULL) >- return dnsname; >- else { >- dnsname = remote_hostname(ssh); >- return dnsname; >- } >-} > > /* These functions link key/cert options to the auth framework */ > >--- openssh-8.5p1/canohost.c.dist 2021-03-02 04:31:47.000000000 -0600 >+++ openssh-8.5p1/canohost.c 2021-03-04 11:22:54.854211183 -0600 >@@ -202,3 +202,117 @@ get_local_port(int sock) > { > return get_sock_port(sock, 1); > } >+ >+/* >+ * Returns the remote DNS hostname as a string. The returned string must not >+ * be freed. NB. this will usually trigger a DNS query the first time it is >+ * called. >+ * This function does additional checks on the hostname to mitigate some >+ * attacks on legacy rhosts-style authentication. >+ * XXX is RhostsRSAAuthentication vulnerable to these? >+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) >+ */ >+ >+static char * >+remote_hostname(struct ssh *ssh) >+{ >+ struct sockaddr_storage from; >+ socklen_t fromlen; >+ struct addrinfo hints, *ai, *aitop; >+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; >+ const char *ntop = ssh_remote_ipaddr(ssh); >+ >+ /* Get IP address of client. */ >+ fromlen = sizeof(from); >+ memset(&from, 0, sizeof(from)); >+ if (getpeername(ssh_packet_get_connection_in(ssh), >+ (struct sockaddr *)&from, &fromlen) == -1) { >+ debug("getpeername failed: %.100s", strerror(errno)); >+ return xstrdup(ntop); >+ } >+ >+ ipv64_normalise_mapped(&from, &fromlen); >+ if (from.ss_family == AF_INET6) >+ fromlen = sizeof(struct sockaddr_in6); >+ >+ debug3("Trying to reverse map address %.100s.", ntop); >+ /* Map the IP address to a host name. */ >+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), >+ NULL, 0, NI_NAMEREQD) != 0) { >+ /* Host name not found. Use ip address. */ >+ return xstrdup(ntop); >+ } >+ >+ /* >+ * if reverse lookup result looks like a numeric hostname, >+ * someone is trying to trick us by PTR record like following: >+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 >+ */ >+ memset(&hints, 0, sizeof(hints)); >+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ >+ hints.ai_flags = AI_NUMERICHOST; >+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { >+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", >+ name, ntop); >+ freeaddrinfo(ai); >+ return xstrdup(ntop); >+ } >+ >+ /* Names are stored in lowercase. */ >+ lowercase(name); >+ >+ /* >+ * Map it back to an IP address and check that the given >+ * address actually is an address of this host. This is >+ * necessary because anyone with access to a name server can >+ * define arbitrary names for an IP address. Mapping from >+ * name to IP address can be trusted better (but can still be >+ * fooled if the intruder has access to the name server of >+ * the domain). >+ */ >+ memset(&hints, 0, sizeof(hints)); >+ hints.ai_family = from.ss_family; >+ hints.ai_socktype = SOCK_STREAM; >+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { >+ logit("reverse mapping checking getaddrinfo for %.700s " >+ "[%s] failed.", name, ntop); >+ return xstrdup(ntop); >+ } >+ /* Look for the address from the list of addresses. */ >+ for (ai = aitop; ai; ai = ai->ai_next) { >+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, >+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && >+ (strcmp(ntop, ntop2) == 0)) >+ break; >+ } >+ freeaddrinfo(aitop); >+ /* If we reached the end of the list, the address was not there. */ >+ if (ai == NULL) { >+ /* Address not found for the host name. */ >+ logit("Address %.100s maps to %.600s, but this does not " >+ "map back to the address.", ntop, name); >+ return xstrdup(ntop); >+ } >+ return xstrdup(name); >+} >+ >+/* >+ * Return the canonical name of the host in the other side of the current >+ * connection. The host name is cached, so it is efficient to call this >+ * several times. >+ */ >+ >+const char * >+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) >+{ >+ static char *dnsname; >+ >+ if (!use_dns) >+ return ssh_remote_ipaddr(ssh); >+ else if (dnsname != NULL) >+ return dnsname; >+ else { >+ dnsname = remote_hostname(ssh); >+ return dnsname; >+ } >+}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=689376">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 774177
:
689331
| 689376
