Attachment 1297 Details for Bug 616 – Patch to make hostbased authentication work with proxy command.

[patch] Patch to make hostbased authentication work with proxy command.

openssh-proxy-hostbased.patch (text/plain), 3.96 KB, created by stuart on 2007-05-26 04:30:03 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: stuart

Created: 2007-05-26 04:30:03 AEST

Size: 3.96 KB

patch

obsolete

>Index: auth2-hostbased.c
>===================================================================
>RCS file: /cvs/openssh/auth2-hostbased.c,v
>retrieving revision 1.11
>diff -u -r1.11 auth2-hostbased.c
>--- auth2-hostbased.c	5 Aug 2006 02:39:39 -0000	1.11
>+++ auth2-hostbased.c	25 May 2007 16:16:25 -0000
>@@ -151,15 +151,15 @@
> 	debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
> 	    chost, resolvedname, ipaddr);
> 
>+	if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
>+		debug2("stripping trailing dot from chost %s", chost);
>+		chost[len - 1] = '\0';
>+	}
> 	if (options.hostbased_uses_name_from_packet_only) {
> 		if (auth_rhosts2(pw, cuser, chost, chost) == 0)
> 			return 0;
> 		lookup = chost;
> 	} else {
>-		if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
>-			debug2("stripping trailing dot from chost %s", chost);
>-			chost[len - 1] = '\0';
>-		}
> 		if (strcasecmp(resolvedname, chost) != 0)
> 			logit("userauth_hostbased mismatch: "
> 			    "client sends %s, but we resolve %s to %s",
>Index: canohost.c
>===================================================================
>RCS file: /cvs/openssh/canohost.c,v
>retrieving revision 1.71
>diff -u -r1.71 canohost.c
>--- canohost.c	22 Sep 2006 09:22:18 -0000	1.71
>+++ canohost.c	25 May 2007 16:16:28 -0000
>@@ -27,6 +27,7 @@
> #include <stdlib.h>
> #include <string.h>
> #include <stdarg.h>
>+#include <unistd.h>
> 
> #include "xmalloc.h"
> #include "packet.h"
>@@ -300,7 +301,42 @@
> char *
> get_local_name(int sock)
> {
>-	return get_socket_address(sock, 0, NI_NAMEREQD);
>+	char *p, host[NI_MAXHOST], ntop[NI_MAXHOST];
>+	struct addrinfo *ai;
>+	int r;
>+
>+	p = get_socket_address(sock, 0, NI_NAMEREQD);
>+	if (p == NULL) {
>+		if (gethostname(host, sizeof(host)) == -1) {
>+			error("get_local_name: gethostname failed: %s",
>+				strerror(errno));
>+			return NULL;
>+		}
>+
>+		if ((r = getaddrinfo(host, NULL, NULL, &ai)) != 0) {
>+			error("get_local_name: getaddrinfo %s failed: %s", host,
>+			    r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
>+			return NULL;
>+		}
>+
>+		/* Work around Linux IPv6 weirdness */
>+		if (ai->ai_addr->sa_family == AF_INET6)
>+			ai->ai_addrlen = sizeof(struct sockaddr_in6);
>+
>+		ipv64_normalise_mapped(ai->ai_addr, ai->ai_addrlen);
>+
>+		/* Get the address in ascii. */
>+		if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
>+		    sizeof(ntop), NULL, 0, NI_NAMEREQD)) != 0) {
>+			error("get_local_name: getnameinfo %d failed: %s", NI_NAMEREQD,
>+			    r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
>+			freeaddrinfo(ai);
>+			return NULL;
>+		}
>+		freeaddrinfo(ai);
>+		return xstrdup(ntop);
>+	}
>+	return p;
> }
> 
> /*
>Index: sshconnect2.c
>===================================================================
>RCS file: /cvs/openssh/sshconnect2.c,v
>retrieving revision 1.155
>diff -u -r1.155 sshconnect2.c
>--- sshconnect2.c	20 May 2007 05:11:33 -0000	1.155
>+++ sshconnect2.c	25 May 2007 16:16:30 -0000
>@@ -1,4 +1,4 @@
>-/* $OpenBSD: sshconnect2.c,v 1.164 2007/05/17 23:53:41 jolan Exp $ */
>+/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */
> /*
>  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
>  *
>@@ -31,7 +31,6 @@
> #include <sys/stat.h>
> 
> #include <errno.h>
>-#include <netdb.h>
> #include <pwd.h>
> #include <signal.h>
> #include <stdarg.h>
>@@ -1308,7 +1307,7 @@
> 	Sensitive *sensitive = authctxt->sensitive;
> 	Buffer b;
> 	u_char *signature, *blob;
>-	char *chost, *pkalg, *p, myname[NI_MAXHOST];
>+	char *chost, *pkalg, *p;
> 	const char *service;
> 	u_int blen, slen;
> 	int ok, i, len, found = 0;
>@@ -1332,16 +1331,7 @@
> 		return 0;
> 	}
> 	/* figure out a name for the client host */
>-	p = NULL;
>-	if (packet_connection_is_on_socket())
>-		p = get_local_name(packet_get_connection_in());
>-	if (p == NULL) {
>-		if (gethostname(myname, sizeof(myname)) == -1) {
>-			verbose("userauth_hostbased: gethostname: %s", 
>-			    strerror(errno));
>-		} else
>-			p = xstrdup(myname);
>-	}
>+	p = get_local_name(packet_get_connection_in());
> 	if (p == NULL) {
> 		error("userauth_hostbased: cannot get local ipaddr/name");
> 		key_free(private);

Actions: View | Diff

Attachments on bug 616: 887 | 1297