From cschuber@uumail.gov.bc.ca  Tue Nov 10 17:29:38 1998
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA18166
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 10 Nov 1998 17:29:37 -0800 (PST)
          (envelope-from cschuber@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.9.1/8.8.8) id RAA13977
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 10 Nov 1998 17:29:16 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda13975; Tue Nov 10 17:29:11 1998
Received: (from cschuber@localhost)
	by passer.osg.gov.bc.ca (8.9.1/8.9.1) id RAA20476;
	Tue, 10 Nov 1998 17:29:10 -0800 (PST)
Message-Id: <199811110129.RAA20476@passer.osg.gov.bc.ca>
Date: Tue, 10 Nov 1998 17:29:10 -0800 (PST)
From: Cy Schubert <cschuber@uumail.gov.bc.ca>
Reply-To: cschuber@uumail.gov.bc.ca
To: FreeBSD-gnats-submit@freebsd.org
Subject: Implement rlogind -a option
X-Send-Pr-Version: 3.2

>Number:         8646
>Category:       bin
>Synopsis:       Implement rlogind -a option
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 10 17:30:01 PST 1998
>Closed-Date:    Wed Oct 05 05:29:10 GMT 2005
>Last-Modified:  Wed Oct 05 05:29:10 GMT 2005
>Originator:     Cy Schubert
>Release:        FreeBSD 2.2.7-RELEASE i386
>Organization:
ITSD, Province of British Columbia
>Environment:

	FreeBSD passer.osg.gov.bc.ca 2.2.7-RELEASE FreeBSD 2.2.7-RELEASE #0: Sat Oct 31 09:54:11 PST 1998     root@passer.osg.gov.bc.ca:/opt/usr_src-227/src/sys/compile/PASSER  i386

>Description:

	Implement rshd's -a option in rlogind.  Hopefully this will
	provide a little better security.

>How-To-Repeat:

	N/A

>Fix:
	

--- /usr/src/libexec/rlogind/rlogind.c	Sun Jul 19 03:57:45 1998
+++ /tmp/libexec/rlogind/rlogind.c	Tue Nov 10 17:26:38 1998
@@ -215,6 +215,8 @@
 	int authenticated = 0;
 	register struct hostent *hp;
 	char hostname[2 * MAXHOSTNAMELEN + 1];
+	char remotehost[2 * MAXHOSTNAMELEN + 1];
+	char *errorstr = NULL;
 	char c;
 
 	alarm(60);
@@ -229,14 +231,58 @@
 
 	alarm(0);
 	fromp->sin_port = ntohs((u_short)fromp->sin_port);
+	errorstr = NULL;
 	hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof(struct in_addr),
 	    fromp->sin_family);
 	if (hp) {
 		(void)strncpy(hostname, hp->h_name, sizeof(hostname));
+		(void)strncpy(hostname, hp->h_name, sizeof(hostname) - 1);
+		hostname[sizeof(hostname) - 1] = 0;
+#ifdef	KERBEROS
+		if (!use_kerberos)
+#endif
+		if (check_all || local_domain(hp->h_name)) {
+			strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1);
+			remotehost[sizeof(remotehost) - 1] = 0;
+			hp = gethostbyname(remotehost);
+			if (hp == NULL) {
+				syslog(LOG_INFO,
+				    "couldn't look up address for %s",
+				    remotehost);
+				errorstr =
+				"Couldn't look up address for your host (%s)\n";
+				strncpy(hostname, inet_ntoa(fromp->sin_addr),
+					sizeof(hostname) - 1);
+				hostname[sizeof(hostname) - 1] = 0;
+			} else for (; ; hp->h_addr_list++) {
+				if (hp->h_addr_list[0] == NULL) {
+					syslog(LOG_NOTICE,
+					  "host addr %s not listed for host %s",
+					    inet_ntoa(fromp->sin_addr),
+					    hp->h_name);
+					errorstr =
+					    "Host address mismatch for %s\n";
+					strncpy(hostname, inet_ntoa(fromp->sin_addr),
+						sizeof(hostname) - 1);
+					hostname[sizeof(hostname) - 1] = 0;
+					break;
+				}
+				if (!bcmp(hp->h_addr_list[0],
+				    (caddr_t)&fromp->sin_addr,
+				    sizeof(fromp->sin_addr))) {
+					(void)strncpy(hostname, remotehost, sizeof(hostname) - 1);
+					hostname[sizeof(hostname) - 1] = 0;
+					break;
+				}
+			}
+			if (errorstr)
+				fatal(f,errorstr,0);
+		}
 	} else {
-		(void)strncpy(hostname, inet_ntoa(fromp->sin_addr), sizeof(hostname));
+		(void)strncpy(hostname, inet_ntoa(fromp->sin_addr),
+			sizeof(hostname) - 1);
+		hostname[sizeof(hostname) - 1] = 0;
 	}
-	hostname[sizeof(hostname) - 1] = '\0';
 
 #ifdef	KERBEROS
 	if (use_kerberos) {
>Release-Note:
>Audit-Trail:

From: Peter Wemm <peter@netplex.com.au>
To: cschuber@uumail.gov.bc.ca
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/8646: Implement rlogind -a option 
Date: Wed, 11 Nov 1998 13:04:01 +0800

 Cy Schubert wrote:
 
 > >Synopsis:       Implement rlogind -a option
 
 > >Description:
 > 
 > 	Implement rshd's -a option in rlogind.  Hopefully this will
 > 	provide a little better security.
 
 I'm not sure that this is the right thing..  What is it to protect? 
 Hostname spoofing for .rhosts?  If so, that is already taken care of 
 within the ruserok() and iruserok() code in libc which deals with .rhosts.
 
 All that I can see that it does is verify the hostname for utmp purposes.. 
 What it should do in this case is log the IP address instead of the 
 hostname if there is a mismatch, and let ruserok() decide what to do.  
 
 There is no need to refuse a connection from an incorrectly configured 
 client if that client has it's IP address (not hostname) explicitly listed 
 in the .rhosts file.
 
 Refusing service solely because of DNS problems is bad.  Refusing to 
 *trust* DNS if there is a problem is much better.  The logging should 
 switch to IP addresses if there is any doubt about the DNS integrity.
 
 Cheers,
 -Peter
 
 
 

From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
To: Peter Wemm <peter@netplex.com.au>
Cc: cschuber@uumail.gov.bc.ca, FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/8646: Implement rlogind -a option 
Date: Wed, 11 Nov 1998 06:24:11 -0800

 In message <199811110504.NAA08334@spinner.netplex.com.au>, Peter Wemm 
 writes:
 > Cy Schubert wrote:
 > 
 > > >Synopsis:       Implement rlogind -a option
 > 
 > > >Description:
 > > 
 > > 	Implement rshd's -a option in rlogind.  Hopefully this will
 > > 	provide a little better security.
 > 
 > I'm not sure that this is the right thing..  What is it to protect? 
 > Hostname spoofing for .rhosts?  If so, that is already taken care of 
 > within the ruserok() and iruserok() code in libc which deals with .rhosts.
 > 
 > All that I can see that it does is verify the hostname for utmp purposes.. 
 > What it should do in this case is log the IP address instead of the 
 > hostname if there is a mismatch, and let ruserok() decide what to do.  
 > 
 > There is no need to refuse a connection from an incorrectly configured 
 > client if that client has it's IP address (not hostname) explicitly listed 
 > in the .rhosts file.
 > 
 > Refusing service solely because of DNS problems is bad.  Refusing to 
 > *trust* DNS if there is a problem is much better.  The logging should 
 > switch to IP addresses if there is any doubt about the DNS integrity.
 > 
 > Cheers,
 > -Peter
 > 
 > 
 > 
 > 
 
 I looked through the ruserok() and iruserok() code.  You are indeed 
 correct.  I stand corrected.  I suppose that the -a option in rshd 
 should also be deprecated.  Wietse Venema's comments about BSD-style 
 "paranoid" checks in BUGTRAQ are false.
 
 
 Regards,                       Phone:  (250)387-8437
 Cy Schubert                      Fax:  (250)387-5766
 Open Systems Group          Internet:  cschuber@uumail.gov.bc.ca
 ITSD                                   Cy.Schubert@gems8.gov.bc.ca
 Government of BC            
 
 
 

From: Peter Wemm <peter@netplex.com.au>
To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/8646: Implement rlogind -a option 
Date: Wed, 11 Nov 1998 22:36:47 +0800

 Cy Schubert - ITSD Open Systems Group wrote:
 > In message <199811110504.NAA08334@spinner.netplex.com.au>, Peter Wemm 
 > writes:
 > > Cy Schubert wrote:
 > > 
 > > > >Synopsis:       Implement rlogind -a option
 > > 
 > > > >Description:
 > > > 
 > > > 	Implement rshd's -a option in rlogind.  Hopefully this will
 > > > 	provide a little better security.
 > > 
 > > I'm not sure that this is the right thing..  What is it to protect? 
 > > Hostname spoofing for .rhosts?  If so, that is already taken care of 
 > > within the ruserok() and iruserok() code in libc which deals with .rhosts.
 > > 
 > > All that I can see that it does is verify the hostname for utmp purposes.. 
 > > What it should do in this case is log the IP address instead of the 
 > > hostname if there is a mismatch, and let ruserok() decide what to do.  
 > > 
 > > There is no need to refuse a connection from an incorrectly configured 
 > > client if that client has it's IP address (not hostname) explicitly listed 
 > > in the .rhosts file.
 > > 
 > > Refusing service solely because of DNS problems is bad.  Refusing to 
 > > *trust* DNS if there is a problem is much better.  The logging should 
 > > switch to IP addresses if there is any doubt about the DNS integrity.
 >
 > I looked through the ruserok() and iruserok() code.  You are indeed 
 > correct.  I stand corrected.  I suppose that the -a option in rshd 
 > should also be deprecated.  Wietse Venema's comments about BSD-style 
 > "paranoid" checks in BUGTRAQ are false.
 
 Wietse's comments could well be correct for older BSD code, I don't have 
 it to check, but I was pretty sure I'd seen it somewhere in there.
 
 The -a checks do have some purpose, but are not implemented the way I'd 
 like.  They are used for logging the hostname in log files and the utmp/
 wtmp.
 
 What I would prefer:
  - the checks are on permanently
  - a mismatch is not a fatal error, but instead of using the hostname, we 
 use the IP address in ascii form in the logs and utmp/wtmp.
 
 ie: if we get a connection from 1.2.3.4 and "1.2.3.4 -> foo.bar.org", but
 "foo.bar.org -> 2.3.4.5", then rather than dropping the connection, we 
 just use "1.2.3.4" in the logs and the utmp files.  And this should be on 
 always. :-)  After all, there is little point in refusing a connection if 
 the user's .rhosts has explicitly got:  "1.2.3.4 otheruser" in it.
 
 Cheers,
 -Peter
 
 
Responsible-Changed-From-To: freebsd-bugs->peter 
Responsible-Changed-By: ru 
Responsible-Changed-When: Wed Oct 11 08:25:11 PDT 2000 
Responsible-Changed-Why:  
It's up to Peter to close this PR (he's the author of rlogind/rlogind.c,v 1.20). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=8646 
Responsible-Changed-From-To: peter->freebsd-bugs 
Responsible-Changed-By: peter 
Responsible-Changed-When: Mon Mar 29 11:16:06 PST 2004 
Responsible-Changed-Why:  
Return neglected PR to the pool 

http://www.freebsd.org/cgi/query-pr.cgi?pr=8646 
State-Changed-From-To: open->feedback 
State-Changed-By: matteo 
State-Changed-When: Fri Aug 26 11:36:08 GMT 2005 
State-Changed-Why:  
is this still a feature request in these SSH days? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=8646 
State-Changed-From-To: feedback->closed 
State-Changed-By: rodrigc 
State-Changed-When: Wed Oct 5 05:24:58 GMT 2005 
State-Changed-Why:  
rlogind now implements the -a flag. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=8646 
>Unformatted:
