- (djm) OpenBSD CVS Sync

   - markus@cvs.openbsd.org 2003/06/02 09:17:34
     [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
     [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
     [sshd_config.5]
     deprecate VerifyReverseMapping since it's dangerous if combined
     with IP based access control as noted by Mike Harding; replace with
     a UseDNS option, UseDNS is on by default and includes the
     VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
     ok deraadt@, djm@
 - (djm) Fix portable-specific uses of verify_reverse_mapping too

16 files changed, 91 insertions, 68 deletions

diff --git a/ChangeLog b/ChangeLog
index ada1bd2d9..6627ec3fa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,17 @@
 20030603
  - (djm) Replace setproctitle replacement with code derived from 
    UCB sendmail
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/06/02 09:17:34
+     [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
+     [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
+     [sshd_config.5]
+     deprecate VerifyReverseMapping since it's dangerous if combined
+     with IP based access control as noted by Mike Harding; replace with
+     a UseDNS option, UseDNS is on by default and includes the
+     VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
+     ok deraadt@, djm@
+ - (djm) Fix portable-specific uses of verify_reverse_mapping too
 
 20030602
  - (djm) Fix segv from bad reordering in auth-pam.c
@@ -1648,4 +1659,4 @@
      save auth method before monitor_reset_key_state(); bugzilla bug #284;
      ok provos@
 
-$Id: ChangeLog,v 1.2764 2003/06/03 00:14:28 djm Exp $
+$Id: ChangeLog,v 1.2765 2003/06/03 00:25:48 djm Exp $
diff --git a/auth-options.c b/auth-options.c
index d8976b172..0e146ab15 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.27 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.28 2003/06/02 09:17:34 markus Exp $");
 
 #include "xmalloc.h"
 #include "match.h"
@@ -173,7 +173,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
                         const char *remote_ip = get_remote_ipaddr();
                         const char *remote_host = get_canonical_hostname(
-                            options.verify_reverse_mapping);
+                            options.use_dns);
                         char *patterns = xmalloc(strlen(opts) + 1);
 
                         opts += strlen(cp);
diff --git a/auth-pam.c b/auth-pam.c
index b8381646b..057164ad3 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.63 2003/06/02 01:04:39 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.64 2003/06/03 00:25:48 djm Exp $");
 
 #ifdef USE_PAM
 #include <security/pam_appl.h>
@@ -299,8 +299,7 @@ sshpam_init(const char *user)
                 sshpam_handle = NULL;
                 return (-1);
         }
-        pam_rhost = get_remote_name_or_ip(utmp_len,
-            options.verify_reverse_mapping);
+        pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
         debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
         sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
         if (sshpam_err != PAM_SUCCESS) {
diff --git a/auth-passwd.c b/auth-passwd.c
index b893165bf..9a94c373f 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -144,22 +144,24 @@ auth_password(Authctxt *authctxt, const char *password)
                 HANDLE hToken = cygwin_logon_user(pw, password);
 
                 if (hToken == INVALID_HANDLE_VALUE)
-                        return 0;
+                        return (0);
                 cygwin_set_impersonation_token(hToken);
-                return 1;
+                return (1);
         }
 # endif
 # ifdef WITH_AIXAUTHENTICATE
         authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
 
-        if (authsuccess)
+        if (authsuccess) {
                 /* We don't have a pty yet, so just label the line as "ssh" */
                 if (loginsuccess(authctxt->user,
-                        get_canonical_hostname(options.verify_reverse_mapping),
-                        "ssh", &aixloginmsg) < 0)
-                                aixloginmsg = NULL;
+                    get_canonical_hostname(options.use_dns),
+                    "ssh", &aixloginmsg) < 0) {
+                        aixloginmsg = NULL;
+                }
+        }
 
-        return(authsuccess);
+        return (authsuccess);
 # endif
 # ifdef KRB4
         if (options.kerberos_authentication == 1) {
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index 4d6f0d234..2eb7e6e2d 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.35 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $");
 
 #include "packet.h"
 #include "uidswap.h"
@@ -63,7 +63,7 @@ auth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key)
             client_host_key->rsa == NULL)
                 return 0;
 
-        chost = (char *)get_canonical_hostname(options.verify_reverse_mapping);
+        chost = (char *)get_canonical_hostname(options.use_dns);
         debug("Rhosts RSA authentication: canonical host %.900s", chost);
 
         if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
diff --git a/auth-rhosts.c b/auth-rhosts.c
index a38478108..b42a64c90 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.30 2003/05/17 03:25:58 itojun Exp $");
+RCSID("$OpenBSD: auth-rhosts.c,v 1.31 2003/06/02 09:17:34 markus Exp $");
 
 #include "packet.h"
 #include "uidswap.h"
@@ -156,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user)
 {
         const char *hostname, *ipaddr;
 
-        hostname = get_canonical_hostname(options.verify_reverse_mapping);
+        hostname = get_canonical_hostname(options.use_dns);
         ipaddr = get_remote_ipaddr();
         return auth_rhosts2(pw, client_user, hostname, ipaddr);
 }
diff --git a/auth-sia.c b/auth-sia.c
index 05cf47c40..cae5f0912 100644
--- a/auth-sia.c
+++ b/auth-sia.c
@@ -52,7 +52,7 @@ auth_sia_password(Authctxt *authctxt, char *pass)
         SIAENTITY *ent = NULL;
         const char *host;
 
-        host = get_canonical_hostname(options.verify_reverse_mapping);
+        host = get_canonical_hostname(options.use_dns);
 
         if (!authctxt->user || pass == NULL || pass[0] == '\0')
                 return (0);
@@ -81,7 +81,7 @@ session_setup_sia(struct passwd *pw, char *tty)
         SIAENTITY *ent = NULL;
         const char *host;
 
-        host = get_canonical_hostname(options.verify_reverse_mapping);
+        host = get_canonical_hostname(options.use_dns);
 
         if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, 
             tty, 0, NULL) != SIASUCCESS)
diff --git a/auth.c b/auth.c
index 8b58cc671..6b48addf7 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.47 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $");
 
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -141,7 +141,7 @@ allowed_user(struct passwd * pw)
         }
 
         if (options.num_deny_users > 0 || options.num_allow_users > 0) {
-                hostname = get_canonical_hostname(options.verify_reverse_mapping);
+                hostname = get_canonical_hostname(options.use_dns);
                 ipaddr = get_remote_ipaddr();
         }
 
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index f8b4ae852..bbc7d8a4d 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2-hostbased.c,v 1.3 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth2-hostbased.c,v 1.4 2003/06/02 09:17:34 markus Exp $");
 
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -136,7 +136,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
         HostStatus host_status;
         int len;
 
-        resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
+        resolvedname = get_canonical_hostname(options.use_dns);
         ipaddr = get_remote_ipaddr();
 
         debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
diff --git a/canohost.c b/canohost.c
index 417d95c18..533f2c24a 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.36 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
@@ -27,7 +27,7 @@ static void check_ip_options(int, char *);
  */
 
 static char *
-get_remote_hostname(int socket, int verify_reverse_mapping)
+get_remote_hostname(int socket, int use_dns)
 {
         struct sockaddr_storage from;
         int i;
@@ -72,6 +72,9 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
             NULL, 0, NI_NUMERICHOST) != 0)
                 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
 
+        if (!use_dns)
+                return xstrdup(ntop);
+
         if (from.ss_family == AF_INET)
                 check_ip_options(socket, ntop);
 
@@ -80,14 +83,24 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
         if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
             NULL, 0, NI_NAMEREQD) != 0) {
                 /* Host name not found.  Use ip address. */
-#if 0
-                logit("Could not reverse map address %.100s.", ntop);
-#endif
                 return xstrdup(ntop);
         }
 
-        /* Got host name. */
-        name[sizeof(name) - 1] = '\0';
+        /*
+         * if reverse lookup result looks like a numeric hostname,
+         * someone is trying to trick us by PTR record like following:
+         *      1.1.1.10.in-addr.arpa.  IN PTR  2.3.4.5
+         */
+        memset(&hints, 0, sizeof(hints));
+        hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+        hints.ai_flags = AI_NUMERICHOST;
+        if (getaddrinfo(name, "0", &hints, &ai) == 0) {
+                logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+                    name, ntop);
+                freeaddrinfo(ai);
+                return xstrdup(ntop);
+        }
+
         /*
          * Convert it to all lowercase (which is expected by the rest
          * of this software).
@@ -95,9 +108,6 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
         for (i = 0; name[i]; i++)
                 if (isupper(name[i]))
                         name[i] = tolower(name[i]);
-
-        if (!verify_reverse_mapping)
-                return xstrdup(name);
         /*
          * Map it back to an IP address and check that the given
          * address actually is an address of this host.  This is
@@ -180,14 +190,14 @@ check_ip_options(int socket, char *ipaddr)
  */
 
 const char *
-get_canonical_hostname(int verify_reverse_mapping)
+get_canonical_hostname(int use_dns)
 {
         static char *canonical_host_name = NULL;
-        static int verify_reverse_mapping_done = 0;
+        static int use_dns_done = 0;
 
         /* Check if we have previously retrieved name with same option. */
         if (canonical_host_name != NULL) {
-                if (verify_reverse_mapping_done != verify_reverse_mapping)
+                if (use_dns_done != use_dns)
                         xfree(canonical_host_name);
                 else
                         return canonical_host_name;
@@ -196,11 +206,11 @@ get_canonical_hostname(int verify_reverse_mapping)
         /* Get the real hostname if socket; otherwise return UNKNOWN. */
         if (packet_connection_is_on_socket())
                 canonical_host_name = get_remote_hostname(
-                    packet_get_connection_in(), verify_reverse_mapping);
+                    packet_get_connection_in(), use_dns);
         else
                 canonical_host_name = xstrdup("UNKNOWN");
 
-        verify_reverse_mapping_done = verify_reverse_mapping;
+        use_dns_done = use_dns;
         return canonical_host_name;
 }
 
@@ -294,11 +304,11 @@ get_remote_ipaddr(void)
 }
 
 const char *
-get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
+get_remote_name_or_ip(u_int utmp_len, int use_dns)
 {
         static const char *remote = "";
         if (utmp_len > 0)
-                remote = get_canonical_hostname(verify_reverse_mapping);
+                remote = get_canonical_hostname(use_dns);
         if (utmp_len == 0 || strlen(remote) > utmp_len)
                 remote = get_remote_ipaddr();
         return remote;
diff --git a/monitor.c b/monitor.c
index 3b7a6f8e3..707d314b3 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.41 2003/05/24 09:30:40 djm Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.42 2003/06/02 09:17:34 markus Exp $");
 
 #include <openssl/dh.h>
 
@@ -1157,7 +1157,7 @@ mm_record_login(Session *s, struct passwd *pw)
         }
         /* Record that there was a login on that tty from the remote host. */
         record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
-            get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+            get_remote_name_or_ip(utmp_len, options.use_dns),
             (struct sockaddr *)&from, fromlen);
 }
 
diff --git a/servconf.c b/servconf.c
index a737f4b46..c501d7b64 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.121 2003/05/15 14:02:47 jakob Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $");
 
 #if defined(KRB4)
 #include <krb.h>
@@ -116,7 +116,7 @@ initialize_server_options(ServerOptions *options)
         options->max_startups_rate = -1;
         options->max_startups = -1;
         options->banner = NULL;
-        options->verify_reverse_mapping = -1;
+        options->use_dns = -1;
         options->client_alive_interval = -1;
         options->client_alive_count_max = -1;
         options->authorized_keys_file = NULL;
@@ -232,8 +232,8 @@ fill_default_server_options(ServerOptions *options)
                 options->max_startups_rate = 100;               /* 100% */
         if (options->max_startups_begin == -1)
                 options->max_startups_begin = options->max_startups;
-        if (options->verify_reverse_mapping == -1)
-                options->verify_reverse_mapping = 0;
+        if (options->use_dns == -1)
+                options->use_dns = 1;
         if (options->client_alive_interval == -1)
                 options->client_alive_interval = 0;
         if (options->client_alive_count_max == -1)
@@ -282,7 +282,7 @@ typedef enum {
         sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
         sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
         sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
-        sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
+        sBanner, sUseDNS, sHostbasedAuthentication,
         sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
         sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
         sUsePrivilegeSeparation,
@@ -366,8 +366,9 @@ static struct {
         { "subsystem", sSubsystem },
         { "maxstartups", sMaxStartups },
         { "banner", sBanner },
-        { "verifyreversemapping", sVerifyReverseMapping },
-        { "reversemappingcheck", sVerifyReverseMapping },
+        { "usedns", sUseDNS },
+        { "verifyreversemapping", sDeprecated },
+        { "reversemappingcheck", sDeprecated },
         { "clientaliveinterval", sClientAliveInterval },
         { "clientalivecountmax", sClientAliveCountMax },
         { "authorizedkeysfile", sAuthorizedKeysFile },
@@ -723,8 +724,8 @@ parse_flag:
                 intptr = &options->gateway_ports;
                 goto parse_flag;
 
-        case sVerifyReverseMapping:
-                intptr = &options->verify_reverse_mapping;
+        case sUseDNS:
+                intptr = &options->use_dns;
                 goto parse_flag;
 
         case sLogFacility:
diff --git a/servconf.h b/servconf.h
index 4ad1ee7be..b676f2b67 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: servconf.h,v 1.60 2003/05/15 01:48:10 jakob Exp $     */
+/*      $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $    */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -112,7 +112,7 @@ typedef struct {
         int     max_startups_rate;
         int     max_startups;
         char   *banner;                 /* SSH-2 banner message */
-        int     verify_reverse_mapping; /* cross-check ip and dns */
+        int     use_dns;
         int     client_alive_interval;  /*
                                          * poke the client this often to
                                          * see if it's still there
diff --git a/session.c b/session.c
index 796c5177c..dc9777de9 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.157 2003/05/14 22:24:42 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -694,7 +694,7 @@ do_pre_login(Session *s)
         }
 
         record_utmp_only(pid, s->tty, s->pw->pw_name,
-            get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+            get_remote_name_or_ip(utmp_len, options.use_dns),
             (struct sockaddr *)&from, fromlen);
 }
 #endif
@@ -749,7 +749,7 @@ do_login(Session *s, const char *command)
         if (!use_privsep)
                 record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
                     get_remote_name_or_ip(utmp_len,
-                    options.verify_reverse_mapping),
+                    options.use_dns),
                     (struct sockaddr *)&from, fromlen);
 
 #ifdef USE_PAM
@@ -1353,7 +1353,7 @@ do_child(Session *s, const char *command)
         /* we have to stash the hostname before we close our socket. */
         if (options.use_login)
                 hostname = get_remote_name_or_ip(utmp_len,
-                    options.verify_reverse_mapping);
+                    options.use_dns);
         /*
          * Close the connection descriptors; note that this is the child, and
          * the server will still have the socket open, and it is important
diff --git a/sshd_config b/sshd_config
index 78fc67c23..c93396b51 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
+#       $OpenBSD: sshd_config,v 1.60 2003/06/02 09:17:34 markus Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -88,7 +88,7 @@
 #MaxStartups 10
 # no default banner path
 #Banner /some/path
-#VerifyReverseMapping no
+#UseDNS yes
 
 # override default of no subsystems
 Subsystem       sftp    /usr/libexec/sftp-server
diff --git a/sshd_config.5 b/sshd_config.5
index 86b3289a1..0c6108e0f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.17 2003/05/20 12:09:32 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.18 2003/06/02 09:17:34 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -585,6 +585,14 @@ Gives the facility code that is used when logging messages from
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm UseDNS
+Specifies whether
+.Nm sshd
+should lookup the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq yes .
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
@@ -622,14 +630,6 @@ The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
 .Dq yes .
-.It Cm VerifyReverseMapping
-Specifies whether
-.Nm sshd
-should try to verify the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq no .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's