[Bug 1200] sshd does not strip trailing dot from client hostname with HostbasedUsesNameFromPacketOnly
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Jun 24 02:46:37 EST 2006
http://bugzilla.mindrot.org/show_bug.cgi?id=1200
Summary: sshd does not strip trailing dot from client hostname
with HostbasedUsesNameFromPacketOnly
Product: Portable OpenSSH
Version: 4.3p2
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: res at qoxp.net
Normally during hostbased authentication, sshd strips any trailing dot
from the hostname supplied by the client in the hostbased
authentication request. However, when HostbasedUsesNameFromPacketOnly
is set, it does not. This is bad for two reasons:
1) While one could interpret the option as saying that sshd should use
the name verbatim, I believe this is not a useful interpretation.
Rather, the point of the option is to rely only on the client-supplied
name, rather than checking the DNS and refusing authentication if the
names do not match. The question of what the name *is*, is a separate
concern. Since the hostnames in shosts.equiv, all ~/.shosts files, and
the known-hosts file will not have trailing dots, hostbased will fail
until all these files are updated. Surely this is not the intention.
2) Even after fixing all the names, hostbased authentication still does
not work, because the signed data in the authentication request
includes the hostname: one side uses the dot, the other does not, and
the signature is bad.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list