[Bug 616] proxycommand breaks hostbased authentication.

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu May 24 04:51:02 EST 2007


http://bugzilla.mindrot.org/show_bug.cgi?id=616


stuart at kaloram.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|simon at sxw.org.uk            |




--- Comment #7 from stuart at kaloram.com  2007-05-24 04:51:00 ---
Upon further testing, I do not think that the suggested patch fixes the
problem.

ssh-keysign.c also contains logic that uses get_local_name() to get the
FQDN
of the host from the socket.  I think that needs to be updated as well.
 It may
be better to put the gethostname() fallback logic in get_local_name(),
since it
is only used in sshconnect2.c and ssh-keysign.c.

Also, I think the gethostname() fallback logic needs to be augmented to
make
sure that the value returned is converted to a fully qualified host
name.  On
many systems gethostname() returns an unqualified hostname, and RFC
4252
requires that a FQDN be used for hostbased authentication.

My testing has been done on openssh-4.6p1 with the patch applied.  I'm
having
some trouble getting the latest version from CVS to build, so I'm not
certain
the problems I'm seeing still exist, but the relevent code looks the
same.

Even with the above changes there is still something going on that I
don't quite
understand.  It seems to be related to whether or not a "." is appended
to the
FQDN.

I'm not reopening this bug because I haven't been able to test with the
latest CVS
build, but I think it should be looked at more carefully to make sure
that it really
works before the patch is included in openssh-4.7.

-stuart


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the openssh-bugs mailing list