Whoops, my patch had a subtle breakage that I've just fixed (namely,
since get_canonical_hostname returned a global, calling it again with
use_dns = 0 would trash the existing one). I've fixed that by
strdup'ing it. New patch attached, and also at the URL.
Cheers,
Daniel
diff -Nru /tmp/72n5cWdfyB/openssh-3.9p1/auth-options.c
/tmp/5oJZ7L54Ml/openssh-3.9p1/auth-options.c
--- /tmp/72n5cWdfyB/openssh-3.9p1/auth-options.c 2003-06-03
10:25:48.000000000 +1000
+++ /tmp/5oJZ7L54Ml/openssh-3.9p1/auth-options.c 2006-02-15
04:35:43.573851374 +1100
@@ -172,8 +172,8 @@
cp = "from=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
const char *remote_ip = get_remote_ipaddr();
- const char *remote_host = get_canonical_hostname(
- options.use_dns);
+ const char *remote_host =
xstrdup(get_canonical_hostname(
+ options.use_dns));
char *patterns = xmalloc(strlen(opts) + 1);
opts += strlen(cp);
@@ -200,6 +200,7 @@
opts++;
if (match_host_and_ip(remote_host, remote_ip,
patterns) != 1) {
+ xfree(remote_host);
xfree(patterns);
logit("Authentication tried for %.100s with "
"correct key but not from a permitted "
@@ -212,6 +213,7 @@
return 0;
}
xfree(patterns);
+ xfree(remote_host);
/* Host name matches. */
goto next_option;
}
diff -Nru /tmp/72n5cWdfyB/openssh-3.9p1/debian/changelog
/tmp/5oJZ7L54Ml/openssh-3.9p1/debian/changelog
--- /tmp/72n5cWdfyB/openssh-3.9p1/debian/changelog 2006-02-15
04:35:43.422868713 +1100
+++ /tmp/5oJZ7L54Ml/openssh-3.9p1/debian/changelog 2006-02-15
04:35:43.587849766 +1100
@@ -1,3 +1,10 @@
+openssh (10:3.9p1-2.dsa.3.fdo.1) stable; urgency=low
+
+ * Match on the canonical IP address, as well as the IPv4-in-IPv6
+ encapsulated address.
+
+ -- Daniel Stone <[EMAIL PROTECTED]> Sun, 12 Feb 2006 15:37:09 +0200
+
openssh (10:3.9p1-2.dsa.3) stable; urgency=low
* Fix the epoch in Replaces:
diff -Nru /tmp/72n5cWdfyB/openssh-3.9p1/match.c
/tmp/5oJZ7L54Ml/openssh-3.9p1/match.c
--- /tmp/72n5cWdfyB/openssh-3.9p1/match.c 2002-03-05 12:42:43.000000000
+1100
+++ /tmp/5oJZ7L54Ml/openssh-3.9p1/match.c 2006-02-15 04:35:43.576851029
+1100
@@ -38,6 +38,7 @@
RCSID("$OpenBSD: match.c,v 1.19 2002/03/01 13:12:10 markus Exp $");
#include "match.h"
+#include "canohost.h"
#include "xmalloc.h"
/*
@@ -184,16 +185,26 @@
match_host_and_ip(const char *host, const char *ipaddr,
const char *patterns)
{
- int mhost, mip;
+ int mhost, mip, mipc;
+ char *canonical_ip = NULL;
/* negative ipaddr match */
if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
return 0;
+
+ /* negative canonical ipaddr match */
+ canonical_ip = get_canonical_hostname(0);
+ /* since g_c_h can return UNKNOWN, protect users from themselves */
+ mipc = (match_hostname(canonical_ip, patterns, strlen(patterns)) &&
+ (strcmp(canonical_ip, "UNKNOWN") != 0));
+ if (mipc == -1)
+ return 0;
+
/* negative hostname match */
if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
return 0;
/* no match at all */
- if (mhost == 0 && mip == 0)
+ if (mhost == 0 && mip == 0 && mipc == 0)
return 0;
return 1;
}
