I believe I've discovered a problem with proxycommand and hostbased authentication. userauth_hostbased() calls get_local_name(packet_get_connection_in()) to figure out the name for the client host. get_local_name() calls getsockname(2), but when using a proxycommand, packet_get_connection_in() is returning a pipe, not a socket. -stuart
Created attachment 887 [details] Fallback to gethostname() when lookup on fd fails Please try this patch - it uses gethostname() when the lookup on the fd fails
Simon, do you have an opinion on this bug or the proposed fix?
I'm not particularly familiar with the ProxyCommand code, or with SSH1 Hostbased auth. The proposed fix does appear to preserve semantics (if the incoming connection is a socket, it must be from the local machine), but I'm not sure whether it is correct to be permitting hostbased auth in those circumstances.
sorry, in my sleep deprived state I thought this was a Kerberos related bug. Apologies.
This bug is for SSH2 hostbased, and has nothing to do with SSH1 or with kerberos. I think the suggested patch has a bug: if package_connection_is_on_socket() is false and if (gethostname(myname, sizeof(myname)) == -1) { verbose("userauth_hostbased: gethostname: %s", strerror(errno)); } else p = myname; gets executed, p does not point to malloc-ed memory. The subsequent code still calls xfree(p) in this case. -stuart
Good catch - I inserted a strdup(). Patch has been applied - this will be in 4.7
Upon further testing, I do not think that the suggested patch fixes the problem. ssh-keysign.c also contains logic that uses get_local_name() to get the FQDN of the host from the socket. I think that needs to be updated as well. It may be better to put the gethostname() fallback logic in get_local_name(), since it is only used in sshconnect2.c and ssh-keysign.c. Also, I think the gethostname() fallback logic needs to be augmented to make sure that the value returned is converted to a fully qualified host name. On many systems gethostname() returns an unqualified hostname, and RFC 4252 requires that a FQDN be used for hostbased authentication. My testing has been done on openssh-4.6p1 with the patch applied. I'm having some trouble getting the latest version from CVS to build, so I'm not certain the problems I'm seeing still exist, but the relevent code looks the same. Even with the above changes there is still something going on that I don't quite understand. It seems to be related to whether or not a "." is appended to the FQDN. I'm not reopening this bug because I haven't been able to test with the latest CVS build, but I think it should be looked at more carefully to make sure that it really works before the patch is included in openssh-4.7. -stuart
Created attachment 1297 [details] Patch to make hostbased authentication work with proxy command. See bug #616.
Here is a patch for hostbased authentication with proxy command that seems to work. It includes as a subset the patch that Richard Silverman submitted in bug #1200 (sshd does not strip trailing dot from client hostname with HostbasedUsesNameFromPacketOnly). This change seems to be required to get signatures to verify. It also updates canohost.c:get_local_name() so that it falls back to gethostname(2) if getsockname(2) fails. It removes the gethostname(2) logic that Damien Miller added to sshconnect2.c, since that's no longer necessary. The patch is against the most recent CVS source. With this patch, I am able to get hostbased authentication working with a proxycommand like ssh proxyhost nc -w 5 %h %p provided the destination server has HostbasedUsesNameFromPacketOnly enabled. Without HostbasedUsesNameFromPacketOnly the server attempts to use the host key for proxyhost instead of the client host because that's where it sees the TCP connection coming from. I don't claim to be enough of an expert on ssh internals to know whether I might have introduced any security holes or incompatibilities with previous versions. Someone should vet this patch carefully. -stuart
Close resolved bugs after release.