diff options
-rw-r--r-- | usr.bin/ssh/auth-options.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/auth-rh-rsa.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/auth-rhosts.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/auth.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/auth2.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/canohost.c | 20 | ||||
-rw-r--r-- | usr.bin/ssh/servconf.c | 17 | ||||
-rw-r--r-- | usr.bin/ssh/servconf.h | 4 | ||||
-rw-r--r-- | usr.bin/ssh/session.c | 6 | ||||
-rw-r--r-- | usr.bin/ssh/sshd.8 | 18 | ||||
-rw-r--r-- | usr.bin/ssh/sshd_config | 4 |
11 files changed, 45 insertions, 44 deletions
diff --git a/usr.bin/ssh/auth-options.c b/usr.bin/ssh/auth-options.c index 9f90437ca37..8df6a6dfcab 100644 --- a/usr.bin/ssh/auth-options.c +++ b/usr.bin/ssh/auth-options.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.20 2001/08/30 20:36:34 stevesk Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.21 2002/01/29 14:32:03 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -170,7 +170,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { const char *remote_ip = get_remote_ipaddr(); const char *remote_host = get_canonical_hostname( - options.reverse_mapping_check); + options.verify_reverse_mapping); char *patterns = xmalloc(strlen(opts) + 1); opts += strlen(cp); diff --git a/usr.bin/ssh/auth-rh-rsa.c b/usr.bin/ssh/auth-rh-rsa.c index e8d22a04190..df917583b6a 100644 --- a/usr.bin/ssh/auth-rh-rsa.c +++ b/usr.bin/ssh/auth-rh-rsa.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.27 2001/12/27 19:54:53 markus Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.28 2002/01/29 14:32:03 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -48,7 +48,7 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, Key *client_host_key return 0; canonical_hostname = get_canonical_hostname( - options.reverse_mapping_check); + options.verify_reverse_mapping); debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname); diff --git a/usr.bin/ssh/auth-rhosts.c b/usr.bin/ssh/auth-rhosts.c index cbceb6319c2..ebbf88f8910 100644 --- a/usr.bin/ssh/auth-rhosts.c +++ b/usr.bin/ssh/auth-rhosts.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.25 2001/12/19 07:18:56 deraadt Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.26 2002/01/29 14:32:03 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -156,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user) const char *hostname, *ipaddr; int ret; - hostname = get_canonical_hostname(options.reverse_mapping_check); + hostname = get_canonical_hostname(options.verify_reverse_mapping); ipaddr = get_remote_ipaddr(); ret = auth_rhosts2(pw, client_user, hostname, ipaddr); return ret; diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index 47f316f29a3..f2270d985a3 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.31 2001/12/19 07:18:56 deraadt Exp $"); +RCSID("$OpenBSD: auth.c,v 1.32 2002/01/29 14:32:03 markus Exp $"); #include <libgen.h> @@ -77,7 +77,7 @@ allowed_user(struct passwd * pw) return 0; if (options.num_deny_users > 0 || options.num_allow_users > 0) { - hostname = get_canonical_hostname(options.reverse_mapping_check); + hostname = get_canonical_hostname(options.verify_reverse_mapping); ipaddr = get_remote_ipaddr(); } diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c index 6def8f6769d..9a0fa20a819 100644 --- a/usr.bin/ssh/auth2.c +++ b/usr.bin/ssh/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.82 2002/01/13 17:57:37 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.83 2002/01/29 14:32:03 markus Exp $"); #include <openssl/evp.h> @@ -688,7 +688,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, HostStatus host_status; int len; - resolvedname = get_canonical_hostname(options.reverse_mapping_check); + resolvedname = get_canonical_hostname(options.verify_reverse_mapping); ipaddr = get_remote_ipaddr(); debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", diff --git a/usr.bin/ssh/canohost.c b/usr.bin/ssh/canohost.c index 20c1aa61089..a19fa1f0571 100644 --- a/usr.bin/ssh/canohost.c +++ b/usr.bin/ssh/canohost.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.29 2001/12/19 07:18:56 deraadt Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.30 2002/01/29 14:32:03 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -27,7 +27,7 @@ static void check_ip_options(int, char *); */ static char * -get_remote_hostname(int socket, int reverse_mapping_check) +get_remote_hostname(int socket, int verify_reverse_mapping) { struct sockaddr_storage from; int i; @@ -68,7 +68,7 @@ get_remote_hostname(int socket, int reverse_mapping_check) if (isupper(name[i])) name[i] = tolower(name[i]); - if (!reverse_mapping_check) + if (!verify_reverse_mapping) return xstrdup(name); /* * Map it back to an IP address and check that the given @@ -152,14 +152,14 @@ check_ip_options(int socket, char *ipaddr) */ const char * -get_canonical_hostname(int reverse_mapping_check) +get_canonical_hostname(int verify_reverse_mapping) { static char *canonical_host_name = NULL; - static int reverse_mapping_checked = 0; + static int verify_reverse_mapping_done = 0; /* Check if we have previously retrieved name with same option. */ if (canonical_host_name != NULL) { - if (reverse_mapping_checked != reverse_mapping_check) + if (verify_reverse_mapping_done != verify_reverse_mapping) xfree(canonical_host_name); else return canonical_host_name; @@ -168,11 +168,11 @@ get_canonical_hostname(int reverse_mapping_check) /* Get the real hostname if socket; otherwise return UNKNOWN. */ if (packet_connection_is_on_socket()) canonical_host_name = get_remote_hostname( - packet_get_connection_in(), reverse_mapping_check); + packet_get_connection_in(), verify_reverse_mapping); else canonical_host_name = xstrdup("UNKNOWN"); - reverse_mapping_checked = reverse_mapping_check; + verify_reverse_mapping_done = verify_reverse_mapping; return canonical_host_name; } @@ -259,11 +259,11 @@ get_remote_ipaddr(void) } const char * -get_remote_name_or_ip(u_int utmp_len, int reverse_mapping_check) +get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping) { static const char *remote = ""; if (utmp_len > 0) - remote = get_canonical_hostname(reverse_mapping_check); + remote = get_canonical_hostname(verify_reverse_mapping); if (utmp_len == 0 || strlen(remote) > utmp_len) remote = get_remote_ipaddr(); return remote; diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 93de74d55ef..6d3eb171d6f 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.99 2002/01/27 14:57:46 stevesk Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.100 2002/01/29 14:32:03 markus Exp $"); #if defined(KRB4) || defined(KRB5) #include <krb.h> @@ -100,7 +100,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_rate = -1; options->max_startups = -1; options->banner = NULL; - options->reverse_mapping_check = -1; + options->verify_reverse_mapping = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; options->authorized_keys_file = NULL; @@ -210,8 +210,8 @@ fill_default_server_options(ServerOptions *options) options->max_startups_rate = 100; /* 100% */ if (options->max_startups_begin == -1) options->max_startups_begin = options->max_startups; - if (options->reverse_mapping_check == -1) - options->reverse_mapping_check = 0; + if (options->verify_reverse_mapping == -1) + options->verify_reverse_mapping = 0; if (options->client_alive_interval == -1) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) @@ -251,7 +251,7 @@ typedef enum { sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, - sBanner, sReverseMappingCheck, sHostbasedAuthentication, + sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sDeprecated @@ -320,7 +320,8 @@ static struct { { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, { "banner", sBanner }, - { "reversemappingcheck", sReverseMappingCheck }, + { "verifyreversemapping", sVerifyReverseMapping }, + { "reversemappingcheck", sVerifyReverseMapping }, { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, @@ -665,8 +666,8 @@ parse_flag: intptr = &options->gateway_ports; goto parse_flag; - case sReverseMappingCheck: - intptr = &options->reverse_mapping_check; + case sVerifyReverseMapping: + intptr = &options->verify_reverse_mapping; goto parse_flag; case sLogFacility: diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index fe4343f281e..f8e7d60541c 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: servconf.h,v 1.52 2002/01/27 14:57:46 stevesk Exp $"); */ +/* RCSID("$OpenBSD: servconf.h,v 1.53 2002/01/29 14:32:03 markus Exp $"); */ #ifndef SERVCONF_H #define SERVCONF_H @@ -116,7 +116,7 @@ typedef struct { int max_startups_rate; int max_startups; char *banner; /* SSH-2 banner message */ - int reverse_mapping_check; /* cross-check ip and dns */ + int verify_reverse_mapping; /* cross-check ip and dns */ int client_alive_interval; /* * poke the client this often to * see if it's still there diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index 09dfc5caf3f..1074ccc4654 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.119 2002/01/27 14:57:46 stevesk Exp $"); +RCSID("$OpenBSD: session.c,v 1.120 2002/01/29 14:32:03 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -613,7 +613,7 @@ do_login(Session *s, const char *command) /* Record that there was a login on that tty from the remote host. */ record_login(pid, s->tty, pw->pw_name, pw->pw_uid, - get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), + get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping), (struct sockaddr *)&from); if (check_quietlogin(s, command)) @@ -936,7 +936,7 @@ do_child(Session *s, const char *command) /* we have to stash the hostname before we close our socket. */ if (options.use_login) hostname = get_remote_name_or_ip(utmp_len, - options.reverse_mapping_check); + options.verify_reverse_mapping); /* * Close the connection descriptors; note that this is the child, and * the server will still have the socket open, and it is important diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8 index 313d218799f..cbfba07d2dc 100644 --- a/usr.bin/ssh/sshd.8 +++ b/usr.bin/ssh/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.164 2002/01/27 14:57:46 stevesk Exp $ +.\" $OpenBSD: sshd.8,v 1.165 2002/01/29 14:32:03 markus Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -758,14 +758,6 @@ Specifies whether public key authentication is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. -.It Cm ReverseMappingCheck -Specifies whether -.Nm -should try to verify the remote host name and check that -the resolved host name for the remote IP address maps back to the -very same IP address. -The default is -.Dq no . .It Cm RhostsAuthentication Specifies whether authentication using rhosts or /etc/hosts.equiv files is sufficient. @@ -833,6 +825,14 @@ will be disabled because does not know how to handle .Xr xauth 1 cookies. +.It Cm VerifyReverseMapping +Specifies whether +.Nm +should try to verify the remote host name and check that +the resolved host name for the remote IP address maps back to the +very same IP address. +The default is +.Dq no . .It Cm X11DisplayOffset Specifies the first display number available for .Nm sshd Ns 's diff --git a/usr.bin/ssh/sshd_config b/usr.bin/ssh/sshd_config index 2aa2ee5fb04..f68373904c2 100644 --- a/usr.bin/ssh/sshd_config +++ b/usr.bin/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.45 2002/01/27 14:57:46 stevesk Exp $ +# $OpenBSD: sshd_config,v 1.46 2002/01/29 14:32:03 markus Exp $ # This is the sshd server system-wide configuration file. See sshd(8) # for more information. @@ -80,7 +80,7 @@ #MaxStartups 10 # no default banner path #Banner /some/path -#ReverseMappingCheck no +#VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server |