summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/ssh/auth-options.c4
-rw-r--r--usr.bin/ssh/auth-rh-rsa.c4
-rw-r--r--usr.bin/ssh/auth-rhosts.c4
-rw-r--r--usr.bin/ssh/auth.c4
-rw-r--r--usr.bin/ssh/auth2.c4
-rw-r--r--usr.bin/ssh/canohost.c20
-rw-r--r--usr.bin/ssh/servconf.c17
-rw-r--r--usr.bin/ssh/servconf.h4
-rw-r--r--usr.bin/ssh/session.c6
-rw-r--r--usr.bin/ssh/sshd.818
-rw-r--r--usr.bin/ssh/sshd_config4
11 files changed, 45 insertions, 44 deletions
diff --git a/usr.bin/ssh/auth-options.c b/usr.bin/ssh/auth-options.c
index 9f90437ca37..8df6a6dfcab 100644
--- a/usr.bin/ssh/auth-options.c
+++ b/usr.bin/ssh/auth-options.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.20 2001/08/30 20:36:34 stevesk Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.21 2002/01/29 14:32:03 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -170,7 +170,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
const char *remote_ip = get_remote_ipaddr();
const char *remote_host = get_canonical_hostname(
- options.reverse_mapping_check);
+ options.verify_reverse_mapping);
char *patterns = xmalloc(strlen(opts) + 1);
opts += strlen(cp);
diff --git a/usr.bin/ssh/auth-rh-rsa.c b/usr.bin/ssh/auth-rh-rsa.c
index e8d22a04190..df917583b6a 100644
--- a/usr.bin/ssh/auth-rh-rsa.c
+++ b/usr.bin/ssh/auth-rh-rsa.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.27 2001/12/27 19:54:53 markus Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.28 2002/01/29 14:32:03 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -48,7 +48,7 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, Key *client_host_key
return 0;
canonical_hostname = get_canonical_hostname(
- options.reverse_mapping_check);
+ options.verify_reverse_mapping);
debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname);
diff --git a/usr.bin/ssh/auth-rhosts.c b/usr.bin/ssh/auth-rhosts.c
index cbceb6319c2..ebbf88f8910 100644
--- a/usr.bin/ssh/auth-rhosts.c
+++ b/usr.bin/ssh/auth-rhosts.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.25 2001/12/19 07:18:56 deraadt Exp $");
+RCSID("$OpenBSD: auth-rhosts.c,v 1.26 2002/01/29 14:32:03 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -156,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user)
const char *hostname, *ipaddr;
int ret;
- hostname = get_canonical_hostname(options.reverse_mapping_check);
+ hostname = get_canonical_hostname(options.verify_reverse_mapping);
ipaddr = get_remote_ipaddr();
ret = auth_rhosts2(pw, client_user, hostname, ipaddr);
return ret;
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c
index 47f316f29a3..f2270d985a3 100644
--- a/usr.bin/ssh/auth.c
+++ b/usr.bin/ssh/auth.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.31 2001/12/19 07:18:56 deraadt Exp $");
+RCSID("$OpenBSD: auth.c,v 1.32 2002/01/29 14:32:03 markus Exp $");
#include <libgen.h>
@@ -77,7 +77,7 @@ allowed_user(struct passwd * pw)
return 0;
if (options.num_deny_users > 0 || options.num_allow_users > 0) {
- hostname = get_canonical_hostname(options.reverse_mapping_check);
+ hostname = get_canonical_hostname(options.verify_reverse_mapping);
ipaddr = get_remote_ipaddr();
}
diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index 6def8f6769d..9a0fa20a819 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.82 2002/01/13 17:57:37 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.83 2002/01/29 14:32:03 markus Exp $");
#include <openssl/evp.h>
@@ -688,7 +688,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
HostStatus host_status;
int len;
- resolvedname = get_canonical_hostname(options.reverse_mapping_check);
+ resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
ipaddr = get_remote_ipaddr();
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
diff --git a/usr.bin/ssh/canohost.c b/usr.bin/ssh/canohost.c
index 20c1aa61089..a19fa1f0571 100644
--- a/usr.bin/ssh/canohost.c
+++ b/usr.bin/ssh/canohost.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.29 2001/12/19 07:18:56 deraadt Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.30 2002/01/29 14:32:03 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -27,7 +27,7 @@ static void check_ip_options(int, char *);
*/
static char *
-get_remote_hostname(int socket, int reverse_mapping_check)
+get_remote_hostname(int socket, int verify_reverse_mapping)
{
struct sockaddr_storage from;
int i;
@@ -68,7 +68,7 @@ get_remote_hostname(int socket, int reverse_mapping_check)
if (isupper(name[i]))
name[i] = tolower(name[i]);
- if (!reverse_mapping_check)
+ if (!verify_reverse_mapping)
return xstrdup(name);
/*
* Map it back to an IP address and check that the given
@@ -152,14 +152,14 @@ check_ip_options(int socket, char *ipaddr)
*/
const char *
-get_canonical_hostname(int reverse_mapping_check)
+get_canonical_hostname(int verify_reverse_mapping)
{
static char *canonical_host_name = NULL;
- static int reverse_mapping_checked = 0;
+ static int verify_reverse_mapping_done = 0;
/* Check if we have previously retrieved name with same option. */
if (canonical_host_name != NULL) {
- if (reverse_mapping_checked != reverse_mapping_check)
+ if (verify_reverse_mapping_done != verify_reverse_mapping)
xfree(canonical_host_name);
else
return canonical_host_name;
@@ -168,11 +168,11 @@ get_canonical_hostname(int reverse_mapping_check)
/* Get the real hostname if socket; otherwise return UNKNOWN. */
if (packet_connection_is_on_socket())
canonical_host_name = get_remote_hostname(
- packet_get_connection_in(), reverse_mapping_check);
+ packet_get_connection_in(), verify_reverse_mapping);
else
canonical_host_name = xstrdup("UNKNOWN");
- reverse_mapping_checked = reverse_mapping_check;
+ verify_reverse_mapping_done = verify_reverse_mapping;
return canonical_host_name;
}
@@ -259,11 +259,11 @@ get_remote_ipaddr(void)
}
const char *
-get_remote_name_or_ip(u_int utmp_len, int reverse_mapping_check)
+get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
{
static const char *remote = "";
if (utmp_len > 0)
- remote = get_canonical_hostname(reverse_mapping_check);
+ remote = get_canonical_hostname(verify_reverse_mapping);
if (utmp_len == 0 || strlen(remote) > utmp_len)
remote = get_remote_ipaddr();
return remote;
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 93de74d55ef..6d3eb171d6f 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.99 2002/01/27 14:57:46 stevesk Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.100 2002/01/29 14:32:03 markus Exp $");
#if defined(KRB4) || defined(KRB5)
#include <krb.h>
@@ -100,7 +100,7 @@ initialize_server_options(ServerOptions *options)
options->max_startups_rate = -1;
options->max_startups = -1;
options->banner = NULL;
- options->reverse_mapping_check = -1;
+ options->verify_reverse_mapping = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
@@ -210,8 +210,8 @@ fill_default_server_options(ServerOptions *options)
options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups;
- if (options->reverse_mapping_check == -1)
- options->reverse_mapping_check = 0;
+ if (options->verify_reverse_mapping == -1)
+ options->verify_reverse_mapping = 0;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
@@ -251,7 +251,7 @@ typedef enum {
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
- sBanner, sReverseMappingCheck, sHostbasedAuthentication,
+ sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sDeprecated
@@ -320,7 +320,8 @@ static struct {
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
{ "banner", sBanner },
- { "reversemappingcheck", sReverseMappingCheck },
+ { "verifyreversemapping", sVerifyReverseMapping },
+ { "reversemappingcheck", sVerifyReverseMapping },
{ "clientaliveinterval", sClientAliveInterval },
{ "clientalivecountmax", sClientAliveCountMax },
{ "authorizedkeysfile", sAuthorizedKeysFile },
@@ -665,8 +666,8 @@ parse_flag:
intptr = &options->gateway_ports;
goto parse_flag;
- case sReverseMappingCheck:
- intptr = &options->reverse_mapping_check;
+ case sVerifyReverseMapping:
+ intptr = &options->verify_reverse_mapping;
goto parse_flag;
case sLogFacility:
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index fe4343f281e..f8e7d60541c 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -11,7 +11,7 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: servconf.h,v 1.52 2002/01/27 14:57:46 stevesk Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.53 2002/01/29 14:32:03 markus Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
@@ -116,7 +116,7 @@ typedef struct {
int max_startups_rate;
int max_startups;
char *banner; /* SSH-2 banner message */
- int reverse_mapping_check; /* cross-check ip and dns */
+ int verify_reverse_mapping; /* cross-check ip and dns */
int client_alive_interval; /*
* poke the client this often to
* see if it's still there
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index 09dfc5caf3f..1074ccc4654 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.119 2002/01/27 14:57:46 stevesk Exp $");
+RCSID("$OpenBSD: session.c,v 1.120 2002/01/29 14:32:03 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -613,7 +613,7 @@ do_login(Session *s, const char *command)
/* Record that there was a login on that tty from the remote host. */
record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
- get_remote_name_or_ip(utmp_len, options.reverse_mapping_check),
+ get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
(struct sockaddr *)&from);
if (check_quietlogin(s, command))
@@ -936,7 +936,7 @@ do_child(Session *s, const char *command)
/* we have to stash the hostname before we close our socket. */
if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len,
- options.reverse_mapping_check);
+ options.verify_reverse_mapping);
/*
* Close the connection descriptors; note that this is the child, and
* the server will still have the socket open, and it is important
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 313d218799f..cbfba07d2dc 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.164 2002/01/27 14:57:46 stevesk Exp $
+.\" $OpenBSD: sshd.8,v 1.165 2002/01/29 14:32:03 markus Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
@@ -758,14 +758,6 @@ Specifies whether public key authentication is allowed.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
-.It Cm ReverseMappingCheck
-Specifies whether
-.Nm
-should try to verify the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq no .
.It Cm RhostsAuthentication
Specifies whether authentication using rhosts or /etc/hosts.equiv
files is sufficient.
@@ -833,6 +825,14 @@ will be disabled because
does not know how to handle
.Xr xauth 1
cookies.
+.It Cm VerifyReverseMapping
+Specifies whether
+.Nm
+should try to verify the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq no .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Nm sshd Ns 's
diff --git a/usr.bin/ssh/sshd_config b/usr.bin/ssh/sshd_config
index 2aa2ee5fb04..f68373904c2 100644
--- a/usr.bin/ssh/sshd_config
+++ b/usr.bin/ssh/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.45 2002/01/27 14:57:46 stevesk Exp $
+# $OpenBSD: sshd_config,v 1.46 2002/01/29 14:32:03 markus Exp $
# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.
@@ -80,7 +80,7 @@
#MaxStartups 10
# no default banner path
#Banner /some/path
-#ReverseMappingCheck no
+#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server