[Bug 1200] sshd does not strip trailing dot from client hostname with HostbasedUsesNameFromPacketOnly

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Jun 24 02:46:37 EST 2006


http://bugzilla.mindrot.org/show_bug.cgi?id=1200

           Summary: sshd does not strip trailing dot from client hostname
                    with HostbasedUsesNameFromPacketOnly
           Product: Portable OpenSSH
           Version: 4.3p2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: res at qoxp.net


Normally during hostbased authentication, sshd strips any trailing dot
from the hostname supplied by the client in the hostbased
authentication request.  However, when HostbasedUsesNameFromPacketOnly
is set, it does not.  This is bad for two reasons:

1) While one could interpret the option as saying that sshd should use
the name verbatim, I believe this is not a useful interpretation. 
Rather, the point of the option is to rely only on the client-supplied
name, rather than checking the DNS and refusing authentication if the
names do not match.  The question of what the name *is*, is a separate
concern.  Since the hostnames in shosts.equiv, all ~/.shosts files, and
the known-hosts file will not have trailing dots, hostbased will fail
until all these files are updated.  Surely this is not the intention.

2) Even after fixing all the names, hostbased authentication still does
not work, because the signed data in the authentication request
includes the hostname: one side uses the dot, the other does not, and
the signature is bad.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list