mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-18 15:30:21 +00:00
As previously threatened, clean up the rshd -a option and make it default
on rshd and rlogind. However, note that: 1: rshd used to drop a connection with -a if the hostname != ip address. This is unneeded, because iruserok() does it's own checking. It was also wrong if .rhosts had an explicit IP address in it, connections would be dropped from that host solely because the DNS was mismatched even though it was explicitly intended to work by IP address. 2: rlogind and rshd check the hostname mappings by default now because that is what goes into the utmp/wtmp and logs. If the hostname != ip address, then it uses the IP address for logging/utmp/wtmp purposes. There isn't much point logging ficticious hostnames. 3: rshd -a is now accepted (but ignored) for compatability. If you really want to make life miserable for people with bad reverse DNS, use tcpd in paranoid mode (which is questionable anyway, given DNS ttl tweaking).
This commit is contained in:
parent
815dab5ee6
commit
5328c7eb7e
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=41860
@ -42,7 +42,7 @@ static const char copyright[] =
|
||||
static const char sccsid[] = "@(#)rlogind.c 8.1 (Berkeley) 6/4/93";
|
||||
#endif
|
||||
static const char rcsid[] =
|
||||
"$Id$";
|
||||
"$Id: rlogind.c,v 1.19 1997/11/25 07:17:15 charnier Exp $";
|
||||
#endif /* not lint */
|
||||
|
||||
/*
|
||||
@ -122,8 +122,6 @@ void getstr __P((char *, int, char *));
|
||||
void setup_term __P((int));
|
||||
int do_krb_login __P((struct sockaddr_in *));
|
||||
void usage __P((void));
|
||||
int local_domain __P((char *));
|
||||
char *topdomain __P((char *));
|
||||
|
||||
int
|
||||
main(argc, argv)
|
||||
@ -232,9 +230,27 @@ doit(f, fromp)
|
||||
hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof(struct in_addr),
|
||||
fromp->sin_family);
|
||||
if (hp) {
|
||||
(void)strncpy(hostname, hp->h_name, sizeof(hostname));
|
||||
strncpy(hostname, hp->h_name, sizeof(hostname) - 1);
|
||||
hostname[sizeof(hostname) - 1] = '\0';
|
||||
hp = gethostbyname(hostname);
|
||||
if (hp == NULL) {
|
||||
strncpy(hostname, inet_ntoa(fromp->sin_addr),
|
||||
sizeof(hostname) - 1);
|
||||
} else for (; ; hp->h_addr_list++) {
|
||||
if (hp->h_addr_list[0] == NULL) {
|
||||
/* End of list - ditch it */
|
||||
strncpy(hostname, inet_ntoa(fromp->sin_addr),
|
||||
sizeof(hostname) - 1);
|
||||
break;
|
||||
}
|
||||
if (!bcmp(hp->h_addr_list[0],
|
||||
(caddr_t)&fromp->sin_addr,
|
||||
sizeof(fromp->sin_addr)))
|
||||
break; /* OK! */
|
||||
}
|
||||
} else {
|
||||
(void)strncpy(hostname, inet_ntoa(fromp->sin_addr), sizeof(hostname));
|
||||
strncpy(hostname, inet_ntoa(fromp->sin_addr),
|
||||
sizeof(hostname) - 1);
|
||||
}
|
||||
hostname[sizeof(hostname) - 1] = '\0';
|
||||
|
||||
@ -742,45 +758,3 @@ usage()
|
||||
syslog(LOG_ERR, "usage: rlogind [-Daln]");
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* Check whether host h is in our local domain,
|
||||
* defined as sharing the last two components of the domain part,
|
||||
* or the entire domain part if the local domain has only one component.
|
||||
* If either name is unqualified (contains no '.'),
|
||||
* assume that the host is local, as it will be
|
||||
* interpreted as such.
|
||||
*/
|
||||
int
|
||||
local_domain(h)
|
||||
char *h;
|
||||
{
|
||||
char localhost[MAXHOSTNAMELEN];
|
||||
char *p1, *p2;
|
||||
|
||||
localhost[0] = 0;
|
||||
(void) gethostname(localhost, sizeof(localhost));
|
||||
p1 = topdomain(localhost);
|
||||
p2 = topdomain(h);
|
||||
if (p1 == NULL || p2 == NULL || !strcasecmp(p1, p2))
|
||||
return (1);
|
||||
return (0);
|
||||
}
|
||||
|
||||
char *
|
||||
topdomain(h)
|
||||
char *h;
|
||||
{
|
||||
register char *p;
|
||||
char *maybe = NULL;
|
||||
int dots = 0;
|
||||
|
||||
for (p = h + strlen(h); p >= h; p--) {
|
||||
if (*p == '.') {
|
||||
if (++dots == 2)
|
||||
return (p);
|
||||
maybe = p;
|
||||
}
|
||||
}
|
||||
return (maybe);
|
||||
}
|
||||
|
@ -30,7 +30,7 @@
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" @(#)rshd.8 8.1 (Berkeley) 6/4/93
|
||||
.\" $Id: rshd.8,v 1.12 1998/12/01 23:27:24 dg Exp $
|
||||
.\" $Id: rshd.8,v 1.13 1998/12/03 05:45:18 bde Exp $
|
||||
.\"
|
||||
.Dd June 4, 1993
|
||||
.Dt RSHD 8
|
||||
@ -88,17 +88,9 @@ and requests the corresponding host name (see
|
||||
.Xr hosts 5
|
||||
and
|
||||
.Xr named 8 ).
|
||||
If the hostname cannot be determined,
|
||||
If the hostname cannot be determined or the hostname and address do
|
||||
not match after verification,
|
||||
the dot-notation representation of the host address is used.
|
||||
If the hostname is in the same domain as the server (according to
|
||||
the last two components of the domain name),
|
||||
or if the
|
||||
.Fl a
|
||||
option is given,
|
||||
the addresses for the hostname are requested,
|
||||
verifying that the name and address correspond.
|
||||
If address verification fails, the connection is aborted
|
||||
with the message: ``Host address mismatch.''.
|
||||
.It
|
||||
A null terminated user name of at most 16 characters
|
||||
is retrieved on the initial socket. This user name
|
||||
|
@ -42,7 +42,7 @@ static const char copyright[] =
|
||||
static const char sccsid[] = "@(#)rshd.c 8.2 (Berkeley) 4/6/94";
|
||||
#endif
|
||||
static const char rcsid[] =
|
||||
"$Id: rshd.c,v 1.21 1998/05/05 00:28:51 rnordier Exp $";
|
||||
"$Id: rshd.c,v 1.22 1998/12/01 23:27:24 dg Exp $";
|
||||
#endif /* not lint */
|
||||
|
||||
/*
|
||||
@ -80,7 +80,6 @@ static const char rcsid[] =
|
||||
#endif
|
||||
|
||||
int keepalive = 1;
|
||||
int check_all;
|
||||
int log_success; /* If TRUE, log all successful accesses */
|
||||
int sent_null;
|
||||
int no_delay;
|
||||
@ -122,7 +121,7 @@ main(argc, argv)
|
||||
while ((ch = getopt(argc, argv, OPTIONS)) != -1)
|
||||
switch (ch) {
|
||||
case 'a':
|
||||
check_all = 1;
|
||||
/* ignored for compatability */
|
||||
break;
|
||||
case 'l':
|
||||
__check_rhosts_file = 0;
|
||||
@ -214,10 +213,9 @@ doit(fromp)
|
||||
fd_set ready, readfrom;
|
||||
int cc, nfd, pv[2], pid, s;
|
||||
int one = 1;
|
||||
char *hostname, *errorstr, *errorhost;
|
||||
char *hostname, *errorstr;
|
||||
char *cp, sig, buf[BUFSIZ];
|
||||
char cmdbuf[NCARGS+1], locuser[16], remuser[16];
|
||||
char remotehost[2 * MAXHOSTNAMELEN + 1];
|
||||
char fromhost[2 * MAXHOSTNAMELEN + 1];
|
||||
#ifdef LOGIN_CAP
|
||||
login_cap_t *lc;
|
||||
@ -296,6 +294,7 @@ doit(fromp)
|
||||
|
||||
(void) alarm(60);
|
||||
port = 0;
|
||||
s = 0; /* not set or used if port == 0 */
|
||||
for (;;) {
|
||||
char c;
|
||||
if ((cc = read(STDIN_FILENO, &c, 1)) != 1) {
|
||||
@ -304,7 +303,7 @@ doit(fromp)
|
||||
shutdown(0, 1+1);
|
||||
exit(1);
|
||||
}
|
||||
if (c== 0)
|
||||
if (c == 0)
|
||||
break;
|
||||
port = port * 10 + c - '0';
|
||||
}
|
||||
@ -349,64 +348,38 @@ doit(fromp)
|
||||
dup2(f, 2);
|
||||
#endif
|
||||
errorstr = NULL;
|
||||
strncpy(fromhost, inet_ntoa(fromp->sin_addr),
|
||||
sizeof(fromhost) - 1);
|
||||
hostname = fromhost;
|
||||
hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof (struct in_addr),
|
||||
fromp->sin_family);
|
||||
if (hp) {
|
||||
/*
|
||||
* If name returned by gethostbyaddr is in our domain,
|
||||
* attempt to verify that we haven't been fooled by someone
|
||||
* in a remote net; look up the name and check that this
|
||||
* address corresponds to the name.
|
||||
* OK, it looks like a DNS name is attached.. Lets see if
|
||||
* it looks like we can use it. If it doesn't check out,
|
||||
* ditch it and use the IP address for logging instead.
|
||||
* Note that iruserok() does it's own hostname checking!!
|
||||
*/
|
||||
strncpy(fromhost, hp->h_name, sizeof(fromhost) - 1);
|
||||
fromhost[sizeof(fromhost) - 1] = 0;
|
||||
hostname = fromhost;
|
||||
#ifdef KERBEROS
|
||||
if (!use_kerberos)
|
||||
#endif
|
||||
if (check_all || local_domain(hp->h_name)) {
|
||||
strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1);
|
||||
remotehost[sizeof(remotehost) - 1] = 0;
|
||||
errorhost = remotehost;
|
||||
hp = gethostbyname(remotehost);
|
||||
if (hp == NULL) {
|
||||
syslog(LOG_INFO,
|
||||
"couldn't look up address for %s",
|
||||
remotehost);
|
||||
errorstr =
|
||||
"Couldn't look up address for your host (%s)\n";
|
||||
hp = gethostbyname(fromhost);
|
||||
if (hp == NULL) {
|
||||
strncpy(fromhost, inet_ntoa(fromp->sin_addr),
|
||||
sizeof(fromhost) - 1);
|
||||
} else for (; ; hp->h_addr_list++) {
|
||||
if (hp->h_addr_list[0] == NULL) {
|
||||
/* End of list - ditch it */
|
||||
strncpy(fromhost, inet_ntoa(fromp->sin_addr),
|
||||
sizeof(fromhost) - 1);
|
||||
fromhost[sizeof(fromhost) - 1] = 0;
|
||||
hostname = fromhost;
|
||||
} else for (; ; hp->h_addr_list++) {
|
||||
if (hp->h_addr_list[0] == NULL) {
|
||||
syslog(LOG_NOTICE,
|
||||
"host addr %s not listed for host %s",
|
||||
inet_ntoa(fromp->sin_addr),
|
||||
hp->h_name);
|
||||
errorstr =
|
||||
"Host address mismatch for %s\n";
|
||||
strncpy(fromhost, inet_ntoa(fromp->sin_addr),
|
||||
sizeof(fromhost) - 1);
|
||||
fromhost[sizeof(fromhost) - 1] = 0;
|
||||
hostname = fromhost;
|
||||
break;
|
||||
}
|
||||
if (!bcmp(hp->h_addr_list[0],
|
||||
(caddr_t)&fromp->sin_addr,
|
||||
sizeof(fromp->sin_addr))) {
|
||||
hostname = remotehost;
|
||||
break;
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (!bcmp(hp->h_addr_list[0],
|
||||
(caddr_t)&fromp->sin_addr,
|
||||
sizeof(fromp->sin_addr)))
|
||||
break; /* OK! */
|
||||
}
|
||||
} else {
|
||||
strncpy(fromhost, inet_ntoa(fromp->sin_addr),
|
||||
sizeof(fromhost) - 1);
|
||||
fromhost[sizeof(fromhost) - 1] = 0;
|
||||
errorhost = hostname = fromhost;
|
||||
}
|
||||
fromhost[sizeof(fromhost) - 1] = 0;
|
||||
|
||||
#ifdef KERBEROS
|
||||
if (use_kerberos) {
|
||||
@ -515,7 +488,7 @@ doit(fromp)
|
||||
fail:
|
||||
if (errorstr == NULL)
|
||||
errorstr = "Login incorrect.\n";
|
||||
error(errorstr, errorhost);
|
||||
error(errorstr, hostname);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user