diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 96 |
1 files changed, 2 insertions, 94 deletions
@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) | |||
400 | case PERMIT_NO_PASSWD: | 400 | case PERMIT_NO_PASSWD: |
401 | if (strcmp(method, "publickey") == 0 || | 401 | if (strcmp(method, "publickey") == 0 || |
402 | strcmp(method, "hostbased") == 0 || | 402 | strcmp(method, "hostbased") == 0 || |
403 | strcmp(method, "gssapi-with-mic") == 0) | 403 | strcmp(method, "gssapi-with-mic") == 0 || |
404 | strcmp(method, "gssapi-keyex") == 0) | ||
404 | return 1; | 405 | return 1; |
405 | break; | 406 | break; |
406 | case PERMIT_FORCED_ONLY: | 407 | case PERMIT_FORCED_ONLY: |
@@ -725,99 +726,6 @@ fakepw(void) | |||
725 | } | 726 | } |
726 | 727 | ||
727 | /* | 728 | /* |
728 | * Returns the remote DNS hostname as a string. The returned string must not | ||
729 | * be freed. NB. this will usually trigger a DNS query the first time it is | ||
730 | * called. | ||
731 | * This function does additional checks on the hostname to mitigate some | ||
732 | * attacks on legacy rhosts-style authentication. | ||
733 | * XXX is RhostsRSAAuthentication vulnerable to these? | ||
734 | * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) | ||
735 | */ | ||
736 | |||
737 | static char * | ||
738 | remote_hostname(struct ssh *ssh) | ||
739 | { | ||
740 | struct sockaddr_storage from; | ||
741 | socklen_t fromlen; | ||
742 | struct addrinfo hints, *ai, *aitop; | ||
743 | char name[NI_MAXHOST], ntop2[NI_MAXHOST]; | ||
744 | const char *ntop = ssh_remote_ipaddr(ssh); | ||
745 | |||
746 | /* Get IP address of client. */ | ||
747 | fromlen = sizeof(from); | ||
748 | memset(&from, 0, sizeof(from)); | ||
749 | if (getpeername(ssh_packet_get_connection_in(ssh), | ||
750 | (struct sockaddr *)&from, &fromlen) == -1) { | ||
751 | debug("getpeername failed: %.100s", strerror(errno)); | ||
752 | return xstrdup(ntop); | ||
753 | } | ||
754 | |||
755 | ipv64_normalise_mapped(&from, &fromlen); | ||
756 | if (from.ss_family == AF_INET6) | ||
757 | fromlen = sizeof(struct sockaddr_in6); | ||
758 | |||
759 | debug3("Trying to reverse map address %.100s.", ntop); | ||
760 | /* Map the IP address to a host name. */ | ||
761 | if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), | ||
762 | NULL, 0, NI_NAMEREQD) != 0) { | ||
763 | /* Host name not found. Use ip address. */ | ||
764 | return xstrdup(ntop); | ||
765 | } | ||
766 | |||
767 | /* | ||
768 | * if reverse lookup result looks like a numeric hostname, | ||
769 | * someone is trying to trick us by PTR record like following: | ||
770 | * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 | ||
771 | */ | ||
772 | memset(&hints, 0, sizeof(hints)); | ||
773 | hints.ai_socktype = SOCK_DGRAM; /*dummy*/ | ||
774 | hints.ai_flags = AI_NUMERICHOST; | ||
775 | if (getaddrinfo(name, NULL, &hints, &ai) == 0) { | ||
776 | logit("Nasty PTR record \"%s\" is set up for %s, ignoring", | ||
777 | name, ntop); | ||
778 | freeaddrinfo(ai); | ||
779 | return xstrdup(ntop); | ||
780 | } | ||
781 | |||
782 | /* Names are stored in lowercase. */ | ||
783 | lowercase(name); | ||
784 | |||
785 | /* | ||
786 | * Map it back to an IP address and check that the given | ||
787 | * address actually is an address of this host. This is | ||
788 | * necessary because anyone with access to a name server can | ||
789 | * define arbitrary names for an IP address. Mapping from | ||
790 | * name to IP address can be trusted better (but can still be | ||
791 | * fooled if the intruder has access to the name server of | ||
792 | * the domain). | ||
793 | */ | ||
794 | memset(&hints, 0, sizeof(hints)); | ||
795 | hints.ai_family = from.ss_family; | ||
796 | hints.ai_socktype = SOCK_STREAM; | ||
797 | if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { | ||
798 | logit("reverse mapping checking getaddrinfo for %.700s " | ||
799 | "[%s] failed.", name, ntop); | ||
800 | return xstrdup(ntop); | ||
801 | } | ||
802 | /* Look for the address from the list of addresses. */ | ||
803 | for (ai = aitop; ai; ai = ai->ai_next) { | ||
804 | if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, | ||
805 | sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && | ||
806 | (strcmp(ntop, ntop2) == 0)) | ||
807 | break; | ||
808 | } | ||
809 | freeaddrinfo(aitop); | ||
810 | /* If we reached the end of the list, the address was not there. */ | ||
811 | if (ai == NULL) { | ||
812 | /* Address not found for the host name. */ | ||
813 | logit("Address %.100s maps to %.600s, but this does not " | ||
814 | "map back to the address.", ntop, name); | ||
815 | return xstrdup(ntop); | ||
816 | } | ||
817 | return xstrdup(name); | ||
818 | } | ||
819 | |||
820 | /* | ||
821 | * Return the canonical name of the host in the other side of the current | 729 | * Return the canonical name of the host in the other side of the current |
822 | * connection. The host name is cached, so it is efficient to call this | 730 | * connection. The host name is cached, so it is efficient to call this |
823 | * several times. | 731 | * several times. |