[Bug 616] proxycommand breaks hostbased authentication.
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat May 26 04:31:50 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=616
--- Comment #9 from stuart at kaloram.com 2007-05-26 04:31:49 ---
Here is a patch for hostbased authentication with proxy command
that seems to work. It includes as a subset the patch that Richard
Silverman submitted in bug #1200 (sshd does not strip trailing dot
from client hostname with HostbasedUsesNameFromPacketOnly).
This change seems to be required to get signatures to verify.
It also updates canohost.c:get_local_name() so that it falls back
to gethostname(2) if getsockname(2) fails.
It removes the gethostname(2) logic that Damien Miller added to
sshconnect2.c, since that's no longer necessary.
The patch is against the most recent CVS source.
With this patch, I am able to get hostbased authentication working
with a proxycommand like
ssh proxyhost nc -w 5 %h %p
provided the destination server has HostbasedUsesNameFromPacketOnly
enabled. Without HostbasedUsesNameFromPacketOnly the server
attempts to use the host key for proxyhost instead of the client host
because that's where it sees the TCP connection coming from.
I don't claim to be enough of an expert on ssh internals to know
whether
I might have introduced any security holes or incompatibilities with
previous versions. Someone should vet this patch carefully.
-stuart
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the openssh-bugs
mailing list