NB: big update - may break stuff. Please test!

- (djm) OpenBSD CVS sync: - markus@cvs.openbsd.org 2001/02/03 03:08:38 [auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c] [canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8] [sshd_config] make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@ - markus@cvs.openbsd.org 2001/02/03 03:19:51 [ssh.1 sshd.8 sshd_config] Skey is now called ChallengeResponse - markus@cvs.openbsd.org 2001/02/03 03:43:09 [sshd.8] use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean channel. note from Erik.Anggard@cygate.se (pr/1659) - stevesk@cvs.openbsd.org 2001/02/03 10:03:06 [ssh.1] typos; ok markus@ - djm@cvs.openbsd.org 2001/02/04 04:11:56 [scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h] [sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c] Basic interactive sftp client; ok theo@ - (djm) Update RPM specs for new sftp binary - (djm) Update several bits for new optional reverse lookup stuff. I think I got them all.
author: Damien Miller <djm@mindrot.org> 2001-02-04 23:20:18 +1100
committer: Damien Miller <djm@mindrot.org> 2001-02-04 23:20:18 +1100
commit: 33804263583e82fb7e6e36477fe63ebd14f15ecb (patch)
tree: 90d891bedf231b49acdd91f456d58a4142070bd6 /canohost.c
parent: 45cb2937bc8a74c1e1f7da3b35ad4319d3033baf (diff)
1 files changed, 104 insertions, 95 deletions
diff --git a/canohost.c b/canohost.c
index f3a659328..8253e9b6e 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,35 +12,35 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.19 2001/01/29 19:42:33 markus Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.20 2001/02/03 10:08:37 markus Exp $");
 #include "packet.h"
 #include "xmalloc.h"
 #include "log.h"
+void    check_ip_options(int socket, char *ipaddr);
 /*
 * Return the canonical name of the host at the other end of the socket. The
 * caller should free the returned string with xfree.
 */
 char *
-get_remote_hostname(int socket)
+get_remote_hostname(int socket, int reverse_mapping_check)
 {
        struct sockaddr_storage from;
        int i;
        socklen_t fromlen;
        struct addrinfo hints, *ai, *aitop;
-        char name[MAXHOSTNAMELEN];
+        char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
-        char ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
        /* Get IP address of client. */
        fromlen = sizeof(from);
        memset(&from, 0, sizeof(from));
-        if (getpeername(socket, (struct sockaddr *) & from, &fromlen) < 0) {
+        if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) {
                debug("getpeername failed: %.100s", strerror(errno));
                fatal_cleanup();
        }
 #ifdef IPV4_IN_IPV6
        if (from.ss_family == AF_INET6) {
                struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from;
@@ -63,6 +63,8 @@ get_remote_hostname(int socket)
                }
        }
 #endif
+        if (from.ss_family == AF_INET)
+                check_ip_options(socket, ntop);
        if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
             NULL, 0, NI_NUMERICHOST) != 0)
@@ -70,120 +72,127 @@ get_remote_hostname(int socket)
        /* Map the IP address to a host name. */
        if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-             NULL, 0, NI_NAMEREQD) == 0) {
+             NULL, 0, NI_NAMEREQD) != 0) {
-                /* Got host name. */
+                /* Host name not found.  Use ip address. */
-                name[sizeof(name) - 1] = '\0';
+                log("Could not reverse map address %.100s.", ntop);
-                /*
+                return xstrdup(ntop);
-                 * Convert it to all lowercase (which is expected by the rest
-                 * of this software).
-                 */
-                for (i = 0; name[i]; i++)
-                        if (isupper(name[i]))
-                                name[i] = tolower(name[i]);
-                /*
-                 * Map it back to an IP address and check that the given
-                 * address actually is an address of this host.  This is
-                 * necessary because anyone with access to a name server can
-                 * define arbitrary names for an IP address. Mapping from
-                 * name to IP address can be trusted better (but can still be
-                 * fooled if the intruder has access to the name server of
-                 * the domain).
-                 */
-                memset(&hints, 0, sizeof(hints));
-                hints.ai_family = from.ss_family;
-                hints.ai_socktype = SOCK_STREAM;
-                if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-                        log("reverse mapping checking getaddrinfo for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name);
-                        strlcpy(name, ntop, sizeof name);
-                        goto check_ip_options;
-                }
-                /* Look for the address from the list of addresses. */
-                for (ai = aitop; ai; ai = ai->ai_next) {
-                        if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-                            sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-                            (strcmp(ntop, ntop2) == 0))
-                                        break;
-                }
-                freeaddrinfo(aitop);
-                /* If we reached the end of the list, the address was not there. */
-                if (!ai) {
-                        /* Address not found for the host name. */
-                        log("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!",
-                            ntop, name);
-                        strlcpy(name, ntop, sizeof name);
-                        goto check_ip_options;
-                }
-                /* Address was found for the host name.  We accept the host name. */
-        } else {
-                /* Host name not found.  Use ascii representation of the address. */
-                strlcpy(name, ntop, sizeof name);
-                log("Could not reverse map address %.100s.", name);
        }
-check_ip_options:
+        /* Got host name. */
+        name[sizeof(name) - 1] = '\0';
+        /*
+         * Convert it to all lowercase (which is expected by the rest
+         * of this software).
+         */
+        for (i = 0; name[i]; i++)
+                if (isupper(name[i]))
+                        name[i] = tolower(name[i]);
+        if (!reverse_mapping_check)
+                return xstrdup(name);
        /*
-         * If IP options are supported, make sure there are none (log and
+         * Map it back to an IP address and check that the given
-         * disconnect them if any are found).  Basically we are worried about
+         * address actually is an address of this host.  This is
-         * source routing; it can be used to pretend you are somebody
+         * necessary because anyone with access to a name server can
-         * (ip-address) you are not. That itself may be "almost acceptable"
+         * define arbitrary names for an IP address. Mapping from
-         * under certain circumstances, but rhosts autentication is useless
+         * name to IP address can be trusted better (but can still be
-         * if source routing is accepted. Notice also that if we just dropped
+         * fooled if the intruder has access to the name server of
-         * source routing here, the other side could use IP spoofing to do
+         * the domain).
-         * rest of the interaction and could still bypass security.  So we
-         * exit here if we detect any IP options.
         */
-        /* IP options -- IPv4 only */
+        memset(&hints, 0, sizeof(hints));
-        if (from.ss_family == AF_INET) {
+        hints.ai_family = from.ss_family;
-                u_char options[200], *ucp;
+        hints.ai_socktype = SOCK_STREAM;
-                char text[1024], *cp;
+        if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-                socklen_t option_size;
+                log("reverse mapping checking getaddrinfo for %.700s "
-                int ipproto;
+                    "failed - POSSIBLE BREAKIN ATTEMPT!", name);
-                struct protoent *ip;
+                return xstrdup(ntop);
+        }
-                if ((ip = getprotobyname("ip")) != NULL)
+        /* Look for the address from the list of addresses. */
-                        ipproto = ip->p_proto;
+        for (ai = aitop; ai; ai = ai->ai_next) {
-                else
+                if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-                        ipproto = IPPROTO_IP;
+                    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-                option_size = sizeof(options);
+                    (strcmp(ntop, ntop2) == 0))
-                if (getsockopt(socket, ipproto, IP_OPTIONS, (char *) options,
+                                break;
-                    &option_size) >= 0 && option_size != 0) {
+        }
-                        cp = text;
+        freeaddrinfo(aitop);
-                        /* Note: "text" buffer must be at least 3x as big as options. */
+        /* If we reached the end of the list, the address was not there. */
-                        for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
+        if (!ai) {
-                                sprintf(cp, " %2.2x", *ucp);
+                /* Address not found for the host name. */
-                        log("Connection from %.100s with IP options:%.800s",
+                log("Address %.100s maps to %.600s, but this does not "
-                            ntop, text);
+                    "map back to the address - POSSIBLE BREAKIN ATTEMPT!",
-                        packet_disconnect("Connection from %.100s with IP options:%.800s",
+                    ntop, name);
-                                          ntop, text);
+                return xstrdup(ntop);
-                }
        }
        return xstrdup(name);
 }
 /*
+ * If IP options are supported, make sure there are none (log and
+ * disconnect them if any are found).  Basically we are worried about
+ * source routing; it can be used to pretend you are somebody
+ * (ip-address) you are not. That itself may be "almost acceptable"
+ * under certain circumstances, but rhosts autentication is useless
+ * if source routing is accepted. Notice also that if we just dropped
+ * source routing here, the other side could use IP spoofing to do
+ * rest of the interaction and could still bypass security.  So we
+ * exit here if we detect any IP options.
+ */
+/* IPv4 only */
+void
+check_ip_options(int socket, char *ipaddr)
+{
+        u_char options[200], *ucp;
+        char text[1024], *cp;
+        socklen_t option_size;
+        int ipproto;
+        struct protoent *ip;
+        if ((ip = getprotobyname("ip")) != NULL)
+                ipproto = ip->p_proto;
+        else
+                ipproto = IPPROTO_IP;
+        option_size = sizeof(options);
+        if (getsockopt(socket, ipproto, IP_OPTIONS, (void *)options,
+            &option_size) >= 0 && option_size != 0) {
+                cp = text;
+                /* Note: "text" buffer must be at least 3x as big as options. */
+                for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
+                        sprintf(cp, " %2.2x", *ucp);
+                log("Connection from %.100s with IP options:%.800s",
+                    ipaddr, text);
+                packet_disconnect("Connection from %.100s with IP options:%.800s",
+                    ipaddr, text);
+        }
+}
+/*
 * Return the canonical name of the host in the other side of the current
 * connection.  The host name is cached, so it is efficient to call this
 * several times.
 */
 const char *
-get_canonical_hostname()
+get_canonical_hostname(int reverse_mapping_check)
 {
        static char *canonical_host_name = NULL;
+        static int reverse_mapping_checked = 0;
-        /* Check if we have previously retrieved this same name. */
+        /* Check if we have previously retrieved name with same option. */
-        if (canonical_host_name != NULL)
+        if (canonical_host_name != NULL) {
-                return canonical_host_name;
+                if (reverse_mapping_checked != reverse_mapping_check)
+                        xfree(canonical_host_name);
+                else
+                        return canonical_host_name;
+        }
        /* Get the real hostname if socket; otherwise return UNKNOWN. */
        if (packet_connection_is_on_socket())
-                canonical_host_name = get_remote_hostname(packet_get_connection_in());
+                canonical_host_name = get_remote_hostname(
+                    packet_get_connection_in(), reverse_mapping_check);
        else
                canonical_host_name = xstrdup("UNKNOWN");
+        reverse_mapping_checked = reverse_mapping_check;
        return canonical_host_name;
 }
author	Damien Miller <djm@mindrot.org>	2001-02-04 23:20:18 +1100
committer	Damien Miller <djm@mindrot.org>	2001-02-04 23:20:18 +1100
commit	33804263583e82fb7e6e36477fe63ebd14f15ecb (patch)
tree	90d891bedf231b49acdd91f456d58a4142070bd6 /canohost.c
parent	45cb2937bc8a74c1e1f7da3b35ad4319d3033baf (diff)

diff --git a/canohost.c b/canohost.c index f3a659328..8253e9b6e 100644 --- a/canohost.c +++ b/canohost.c
@@ -12,35 +12,35 @@
12	*/	12	*/
13		13
14	#include "includes.h"	14	#include "includes.h"
15	RCSID("$OpenBSD: canohost.c,v 1.19 2001/01/29 19:42:33 markus Exp $");	15	RCSID("$OpenBSD: canohost.c,v 1.20 2001/02/03 10:08:37 markus Exp $");
16		16
17	#include "packet.h"	17	#include "packet.h"
18	#include "xmalloc.h"	18	#include "xmalloc.h"
19	#include "log.h"	19	#include "log.h"
20		20
		21	void check_ip_options(int socket, char *ipaddr);
		22
21	/*	23	/*
22	* Return the canonical name of the host at the other end of the socket. The	24	* Return the canonical name of the host at the other end of the socket. The
23	* caller should free the returned string with xfree.	25	* caller should free the returned string with xfree.
24	*/	26	*/
25		27
26	char *	28	char *
27	get_remote_hostname(int socket)	29	get_remote_hostname(int socket, int reverse_mapping_check)
28	{	30	{
29	struct sockaddr_storage from;	31	struct sockaddr_storage from;
30	int i;	32	int i;
31	socklen_t fromlen;	33	socklen_t fromlen;
32	struct addrinfo hints, ai, aitop;	34	struct addrinfo hints, ai, aitop;
33	char name[MAXHOSTNAMELEN];	35	char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
34	char ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
35		36
36	/* Get IP address of client. */	37	/* Get IP address of client. */
37	fromlen = sizeof(from);	38	fromlen = sizeof(from);
38	memset(&from, 0, sizeof(from));	39	memset(&from, 0, sizeof(from));
39	if (getpeername(socket, (struct sockaddr *) & from, &fromlen) < 0) {	40	if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) {
40	debug("getpeername failed: %.100s", strerror(errno));	41	debug("getpeername failed: %.100s", strerror(errno));
41	fatal_cleanup();	42	fatal_cleanup();
42	}	43	}
43
44	#ifdef IPV4_IN_IPV6	44	#ifdef IPV4_IN_IPV6
45	if (from.ss_family == AF_INET6) {	45	if (from.ss_family == AF_INET6) {
46	struct sockaddr_in6 from6 = (struct sockaddr_in6 )&from;	46	struct sockaddr_in6 from6 = (struct sockaddr_in6 )&from;
@@ -63,6 +63,8 @@ get_remote_hostname(int socket)
63	}	63	}
64	}	64	}
65	#endif	65	#endif
		66	if (from.ss_family == AF_INET)
		67	check_ip_options(socket, ntop);
66		68
67	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),	69	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
68	NULL, 0, NI_NUMERICHOST) != 0)	70	NULL, 0, NI_NUMERICHOST) != 0)
@@ -70,120 +72,127 @@ get_remote_hostname(int socket)
70		72
71	/* Map the IP address to a host name. */	73	/* Map the IP address to a host name. */
72	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),	74	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
73	NULL, 0, NI_NAMEREQD) == 0) {	75	NULL, 0, NI_NAMEREQD) != 0) {
74	/* Got host name. */	76	/* Host name not found. Use ip address. */
75	name[sizeof(name) - 1] = '\0';	77	log("Could not reverse map address %.100s.", ntop);
76	/*	78	return xstrdup(ntop);
77	* Convert it to all lowercase (which is expected by the rest
78	* of this software).
79	*/
80	for (i = 0; name[i]; i++)
81	if (isupper(name[i]))
82	name[i] = tolower(name[i]);
83
84	/*
85	* Map it back to an IP address and check that the given
86	* address actually is an address of this host. This is
87	* necessary because anyone with access to a name server can
88	* define arbitrary names for an IP address. Mapping from
89	* name to IP address can be trusted better (but can still be
90	* fooled if the intruder has access to the name server of
91	* the domain).
92	*/
93	memset(&hints, 0, sizeof(hints));
94	hints.ai_family = from.ss_family;
95	hints.ai_socktype = SOCK_STREAM;
96	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
97	log("reverse mapping checking getaddrinfo for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name);
98	strlcpy(name, ntop, sizeof name);
99	goto check_ip_options;
100	}
101	/* Look for the address from the list of addresses. */
102	for (ai = aitop; ai; ai = ai->ai_next) {
103	if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
104	sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
105	(strcmp(ntop, ntop2) == 0))
106	break;
107	}
108	freeaddrinfo(aitop);
109	/* If we reached the end of the list, the address was not there. */
110	if (!ai) {
111	/* Address not found for the host name. */
112	log("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!",
113	ntop, name);
114	strlcpy(name, ntop, sizeof name);
115	goto check_ip_options;
116	}
117	/* Address was found for the host name. We accept the host name. */
118	} else {
119	/* Host name not found. Use ascii representation of the address. */
120	strlcpy(name, ntop, sizeof name);
121	log("Could not reverse map address %.100s.", name);
122	}	79	}
123		80
124	check_ip_options:	81	/* Got host name. */
		82	name[sizeof(name) - 1] = '\0';
		83	/*
		84	* Convert it to all lowercase (which is expected by the rest
		85	* of this software).
		86	*/
		87	for (i = 0; name[i]; i++)
		88	if (isupper(name[i]))
		89	name[i] = tolower(name[i]);
125		90
		91	if (!reverse_mapping_check)
		92	return xstrdup(name);
126	/*	93	/*
127	* If IP options are supported, make sure there are none (log and	94	* Map it back to an IP address and check that the given
128	* disconnect them if any are found). Basically we are worried about	95	* address actually is an address of this host. This is
129	* source routing; it can be used to pretend you are somebody	96	* necessary because anyone with access to a name server can
130	* (ip-address) you are not. That itself may be "almost acceptable"	97	* define arbitrary names for an IP address. Mapping from
131	* under certain circumstances, but rhosts autentication is useless	98	* name to IP address can be trusted better (but can still be
132	* if source routing is accepted. Notice also that if we just dropped	99	* fooled if the intruder has access to the name server of
133	* source routing here, the other side could use IP spoofing to do	100	* the domain).
134	* rest of the interaction and could still bypass security. So we
135	* exit here if we detect any IP options.
136	*/	101	*/
137	/* IP options -- IPv4 only */	102	memset(&hints, 0, sizeof(hints));
138	if (from.ss_family == AF_INET) {	103	hints.ai_family = from.ss_family;
139	u_char options[200], *ucp;	104	hints.ai_socktype = SOCK_STREAM;
140	char text[1024], *cp;	105	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
141	socklen_t option_size;	106	log("reverse mapping checking getaddrinfo for %.700s "
142	int ipproto;	107	"failed - POSSIBLE BREAKIN ATTEMPT!", name);
143	struct protoent *ip;	108	return xstrdup(ntop);
144		109	}
145	if ((ip = getprotobyname("ip")) != NULL)	110	/* Look for the address from the list of addresses. */
146	ipproto = ip->p_proto;	111	for (ai = aitop; ai; ai = ai->ai_next) {
147	else	112	if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
148	ipproto = IPPROTO_IP;	113	sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
149	option_size = sizeof(options);	114	(strcmp(ntop, ntop2) == 0))
150	if (getsockopt(socket, ipproto, IP_OPTIONS, (char *) options,	115	break;
151	&option_size) >= 0 && option_size != 0) {	116	}
152	cp = text;	117	freeaddrinfo(aitop);
153	/* Note: "text" buffer must be at least 3x as big as options. */	118	/* If we reached the end of the list, the address was not there. */
154	for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)	119	if (!ai) {
155	sprintf(cp, " %2.2x", *ucp);	120	/* Address not found for the host name. */
156	log("Connection from %.100s with IP options:%.800s",	121	log("Address %.100s maps to %.600s, but this does not "
157	ntop, text);	122	"map back to the address - POSSIBLE BREAKIN ATTEMPT!",
158	packet_disconnect("Connection from %.100s with IP options:%.800s",	123	ntop, name);
159	ntop, text);	124	return xstrdup(ntop);
160	}
161	}	125	}
162
163	return xstrdup(name);	126	return xstrdup(name);
164	}	127	}
165		128
166	/*	129	/*
		130	* If IP options are supported, make sure there are none (log and
		131	* disconnect them if any are found). Basically we are worried about
		132	* source routing; it can be used to pretend you are somebody
		133	* (ip-address) you are not. That itself may be "almost acceptable"
		134	* under certain circumstances, but rhosts autentication is useless
		135	* if source routing is accepted. Notice also that if we just dropped
		136	* source routing here, the other side could use IP spoofing to do
		137	* rest of the interaction and could still bypass security. So we
		138	* exit here if we detect any IP options.
		139	*/
		140	/* IPv4 only */
		141	void
		142	check_ip_options(int socket, char *ipaddr)
		143	{
		144	u_char options[200], *ucp;
		145	char text[1024], *cp;
		146	socklen_t option_size;
		147	int ipproto;
		148	struct protoent *ip;
		149
		150	if ((ip = getprotobyname("ip")) != NULL)
		151	ipproto = ip->p_proto;
		152	else
		153	ipproto = IPPROTO_IP;
		154	option_size = sizeof(options);
		155	if (getsockopt(socket, ipproto, IP_OPTIONS, (void *)options,
		156	&option_size) >= 0 && option_size != 0) {
		157	cp = text;
		158	/* Note: "text" buffer must be at least 3x as big as options. */
		159	for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
		160	sprintf(cp, " %2.2x", *ucp);
		161	log("Connection from %.100s with IP options:%.800s",
		162	ipaddr, text);
		163	packet_disconnect("Connection from %.100s with IP options:%.800s",
		164	ipaddr, text);
		165	}
		166	}
		167
		168	/*
167	* Return the canonical name of the host in the other side of the current	169	* Return the canonical name of the host in the other side of the current
168	* connection. The host name is cached, so it is efficient to call this	170	* connection. The host name is cached, so it is efficient to call this
169	* several times.	171	* several times.
170	*/	172	*/
171		173
172	const char *	174	const char *
173	get_canonical_hostname()	175	get_canonical_hostname(int reverse_mapping_check)
174	{	176	{
175	static char *canonical_host_name = NULL;	177	static char *canonical_host_name = NULL;
		178	static int reverse_mapping_checked = 0;
176		179
177	/* Check if we have previously retrieved this same name. */	180	/* Check if we have previously retrieved name with same option. */
178	if (canonical_host_name != NULL)	181	if (canonical_host_name != NULL) {
179	return canonical_host_name;	182	if (reverse_mapping_checked != reverse_mapping_check)
		183	xfree(canonical_host_name);
		184	else
		185	return canonical_host_name;
		186	}
180		187
181	/* Get the real hostname if socket; otherwise return UNKNOWN. */	188	/* Get the real hostname if socket; otherwise return UNKNOWN. */
182	if (packet_connection_is_on_socket())	189	if (packet_connection_is_on_socket())
183	canonical_host_name = get_remote_hostname(packet_get_connection_in());	190	canonical_host_name = get_remote_hostname(
		191	packet_get_connection_in(), reverse_mapping_check);
184	else	192	else
185	canonical_host_name = xstrdup("UNKNOWN");	193	canonical_host_name = xstrdup("UNKNOWN");
186		194
		195	reverse_mapping_checked = reverse_mapping_check;
187	return canonical_host_name;	196	return canonical_host_name;
188	}	197	}
189		198