1 files changed, 2 insertions, 94 deletions
diff --git a/auth.c b/auth.c
index 086b8ebb1..687c57b42 100644
--- a/auth.c
+++ b/auth.c
@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
        case PERMIT_NO_PASSWD:
                if (strcmp(method, "publickey") == 0 ||
                    strcmp(method, "hostbased") == 0 ||
-                    strcmp(method, "gssapi-with-mic") == 0)
+                    strcmp(method, "gssapi-with-mic") == 0 ||
+                    strcmp(method, "gssapi-keyex") == 0)
                        return 1;
                break;
        case PERMIT_FORCED_ONLY:
@@ -725,99 +726,6 @@ fakepw(void)
 }
 /*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */
-static char *
-remote_hostname(struct ssh *ssh)
-{
-        struct sockaddr_storage from;
-        socklen_t fromlen;
-        struct addrinfo hints, *ai, *aitop;
-        char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-        const char *ntop = ssh_remote_ipaddr(ssh);
-        /* Get IP address of client. */
-        fromlen = sizeof(from);
-        memset(&from, 0, sizeof(from));
-        if (getpeername(ssh_packet_get_connection_in(ssh),
-            (struct sockaddr *)&from, &fromlen) == -1) {
-                debug("getpeername failed: %.100s", strerror(errno));
-                return xstrdup(ntop);
-        }
-        ipv64_normalise_mapped(&from, &fromlen);
-        if (from.ss_family == AF_INET6)
-                fromlen = sizeof(struct sockaddr_in6);
-        debug3("Trying to reverse map address %.100s.", ntop);
-        /* Map the IP address to a host name. */
-        if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-            NULL, 0, NI_NAMEREQD) != 0) {
-                /* Host name not found.  Use ip address. */
-                return xstrdup(ntop);
-        }
-        /*
-         * if reverse lookup result looks like a numeric hostname,
-         * someone is trying to trick us by PTR record like following:
-         *      1.1.1.10.in-addr.arpa.  IN PTR  2.3.4.5
-         */
-        memset(&hints, 0, sizeof(hints));
-        hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-        hints.ai_flags = AI_NUMERICHOST;
-        if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-                logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-                    name, ntop);
-                freeaddrinfo(ai);
-                return xstrdup(ntop);
-        }
-        /* Names are stored in lowercase. */
-        lowercase(name);
-        /*
-         * Map it back to an IP address and check that the given
-         * address actually is an address of this host.  This is
-         * necessary because anyone with access to a name server can
-         * define arbitrary names for an IP address. Mapping from
-         * name to IP address can be trusted better (but can still be
-         * fooled if the intruder has access to the name server of
-         * the domain).
-         */
-        memset(&hints, 0, sizeof(hints));
-        hints.ai_family = from.ss_family;
-        hints.ai_socktype = SOCK_STREAM;
-        if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-                logit("reverse mapping checking getaddrinfo for %.700s "
-                    "[%s] failed.", name, ntop);
-                return xstrdup(ntop);
-        }
-        /* Look for the address from the list of addresses. */
-        for (ai = aitop; ai; ai = ai->ai_next) {
-                if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-                    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-                    (strcmp(ntop, ntop2) == 0))
-                                break;
-        }
-        freeaddrinfo(aitop);
-        /* If we reached the end of the list, the address was not there. */
-        if (ai == NULL) {
-                /* Address not found for the host name. */
-                logit("Address %.100s maps to %.600s, but this does not "
-                    "map back to the address.", ntop, name);
-                return xstrdup(ntop);
-        }
-        return xstrdup(name);
-}
-/*
 * Return the canonical name of the host in the other side of the current
 * connection.  The host name is cached, so it is efficient to call this
 * several times.

diff --git a/auth.c b/auth.c index 086b8ebb1..687c57b42 100644 --- a/auth.c +++ b/auth.c
@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh ssh, const char method)
400	case PERMIT_NO_PASSWD:	400	case PERMIT_NO_PASSWD:
401	if (strcmp(method, "publickey") == 0 \|\|	401	if (strcmp(method, "publickey") == 0 \|\|
402	strcmp(method, "hostbased") == 0 \|\|	402	strcmp(method, "hostbased") == 0 \|\|
403	strcmp(method, "gssapi-with-mic") == 0)	403	strcmp(method, "gssapi-with-mic") == 0 \|\|
		404	strcmp(method, "gssapi-keyex") == 0)
404	return 1;	405	return 1;
405	break;	406	break;
406	case PERMIT_FORCED_ONLY:	407	case PERMIT_FORCED_ONLY:
@@ -725,99 +726,6 @@ fakepw(void)
725	}	726	}
726		727
727	/*	728	/*
728	* Returns the remote DNS hostname as a string. The returned string must not
729	* be freed. NB. this will usually trigger a DNS query the first time it is
730	* called.
731	* This function does additional checks on the hostname to mitigate some
732	* attacks on legacy rhosts-style authentication.
733	* XXX is RhostsRSAAuthentication vulnerable to these?
734	* XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
735	*/
736
737	static char *
738	remote_hostname(struct ssh *ssh)
739	{
740	struct sockaddr_storage from;
741	socklen_t fromlen;
742	struct addrinfo hints, ai, aitop;
743	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
744	const char *ntop = ssh_remote_ipaddr(ssh);
745
746	/* Get IP address of client. */
747	fromlen = sizeof(from);
748	memset(&from, 0, sizeof(from));
749	if (getpeername(ssh_packet_get_connection_in(ssh),
750	(struct sockaddr *)&from, &fromlen) == -1) {
751	debug("getpeername failed: %.100s", strerror(errno));
752	return xstrdup(ntop);
753	}
754
755	ipv64_normalise_mapped(&from, &fromlen);
756	if (from.ss_family == AF_INET6)
757	fromlen = sizeof(struct sockaddr_in6);
758
759	debug3("Trying to reverse map address %.100s.", ntop);
760	/* Map the IP address to a host name. */
761	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
762	NULL, 0, NI_NAMEREQD) != 0) {
763	/* Host name not found. Use ip address. */
764	return xstrdup(ntop);
765	}
766
767	/*
768	* if reverse lookup result looks like a numeric hostname,
769	* someone is trying to trick us by PTR record like following:
770	* 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
771	*/
772	memset(&hints, 0, sizeof(hints));
773	hints.ai_socktype = SOCK_DGRAM; /dummy/
774	hints.ai_flags = AI_NUMERICHOST;
775	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
776	logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
777	name, ntop);
778	freeaddrinfo(ai);
779	return xstrdup(ntop);
780	}
781
782	/* Names are stored in lowercase. */
783	lowercase(name);
784
785	/*
786	* Map it back to an IP address and check that the given
787	* address actually is an address of this host. This is
788	* necessary because anyone with access to a name server can
789	* define arbitrary names for an IP address. Mapping from
790	* name to IP address can be trusted better (but can still be
791	* fooled if the intruder has access to the name server of
792	* the domain).
793	*/
794	memset(&hints, 0, sizeof(hints));
795	hints.ai_family = from.ss_family;
796	hints.ai_socktype = SOCK_STREAM;
797	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
798	logit("reverse mapping checking getaddrinfo for %.700s "
799	"[%s] failed.", name, ntop);
800	return xstrdup(ntop);
801	}
802	/* Look for the address from the list of addresses. */
803	for (ai = aitop; ai; ai = ai->ai_next) {
804	if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
805	sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
806	(strcmp(ntop, ntop2) == 0))
807	break;
808	}
809	freeaddrinfo(aitop);
810	/* If we reached the end of the list, the address was not there. */
811	if (ai == NULL) {
812	/* Address not found for the host name. */
813	logit("Address %.100s maps to %.600s, but this does not "
814	"map back to the address.", ntop, name);
815	return xstrdup(ntop);
816	}
817	return xstrdup(name);
818	}
819
820	/*
821	* Return the canonical name of the host in the other side of the current	729	* Return the canonical name of the host in the other side of the current
822	* connection. The host name is cached, so it is efficient to call this	730	* connection. The host name is cached, so it is efficient to call this
823	* several times.	731	* several times.