NetBSD Problem Report #48874
From www@NetBSD.org Thu Jun 5 13:51:56 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 9C7F0A663F
for <gnats-bugs@gnats.NetBSD.org>; Thu, 5 Jun 2014 13:51:56 +0000 (UTC)
Message-Id: <20140605135154.22525A6643@mollari.NetBSD.org>
Date: Thu, 5 Jun 2014 13:51:54 +0000 (UTC)
From: netbsd@eq.cz
Reply-To: netbsd@eq.cz
To: gnats-bugs@NetBSD.org
Subject: sshd: "UseDNS=no" dysfunctional
X-Send-Pr-Version: www-1.0
>Number: 48874
>Category: bin
>Synopsis: sshd: "UseDNS=no" dysfunctional
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jun 05 13:55:00 +0000 2014
>Closed-Date: Sat Dec 27 23:41:23 +0000 2014
>Last-Modified: Sat Dec 27 23:41:23 +0000 2014
>Originator: rudolf
>Release: 6.1_STABLE
>Organization:
>Environment:
NetBSD 6.1_STABLE (XEN3_DOMU) amd64, built from CVS at Fri May 23 18:51:55 CEST 2014
>Description:
The setting of configuration option "UseDNS" to "no" in /etc/ssh/sshd_config of a sshd server does not stop the sshd server from trying to reverse map an IP address of a ssh client using DNS.
Here is a part (to the point of the reverse lookup) of debugging output of "sshd -d -d -d". From my reading of get_remote_hostname() in crypto/external/bsd/openssh/dist/canohost.c, the last line should not be reachable with "UseDNS=no":
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 343
debug2: parse_server_config: config /etc/ssh/sshd_config len 343
debug1: Config token is logingracetime
debug3: /etc/ssh/sshd_config:38 setting LoginGraceTime 600
debug1: Config token is permitrootlogin
debug3: /etc/ssh/sshd_config:39 setting PermitRootLogin without-password
debug1: Config token is allowusers
debug3: /etc/ssh/sshd_config:44 setting AllowUsers root
debug1: Config token is authorizedkeysfile
debug3: /etc/ssh/sshd_config:51 setting AuthorizedKeysFile .ssh/authorized_keys
debug1: Config token is passwordauthentication
debug3: /etc/ssh/sshd_config:64 setting PasswordAuthentication no
debug1: Config token is printmotd
debug3: /etc/ssh/sshd_config:88 setting PrintMotd no
debug1: Config token is usepam
debug3: /etc/ssh/sshd_config:93 setting UsePam no
debug1: Config token is usedns
debug3: /etc/ssh/sshd_config:98 setting UseDNS no
debug1: Config token is subsystem
debug3: /etc/ssh/sshd_config:124 setting Subsystem sftp /usr/libexec/sftp-server
debug1: HPN Buffer Size: 32768
debug1: sshd version OpenSSH_5.9 NetBSD_Secure_Shell-20110907
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-u0'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-d'
debug1: rexec_argv[4]='-d'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
debug1: Server TCP RWIN socket size: 32768
debug1: HPN Buffer Size: 32768
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
debug1: Server TCP RWIN socket size: 32768
debug1: HPN Buffer Size: 32768
Server listening on 0.0.0.0 port 22.
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 9 config len 343
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 9
debug1: inetd sockets after dupping: 3, 3
Connection from 10.0.0.254 port 57061
debug1: HPN Disabled: 0, HPN Buffer Size: 32768
debug1: Client protocol version 2.0; client software version OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk
SSH: Server;Ltype: Version;Remote: 10.0.0.254-57061;Protocol: 2.0;Client: OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk
debug1: match: OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 199
debug3: preauth child monitor started
debug3: privsep user:group 16:16 [preauth]
debug1: permanently_set_uid: 16/16 [preauth]
debug1: MYFLAG IS 1 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: AUTH STATE IS 0 [preauth]
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
debug2: kex_parse_kexinit: reserved 0 [preauth]
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
debug2: kex_parse_kexinit: reserved 0 [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
SSH: Server;Ltype: Kex;Remote: 10.0.0.254-57061;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 5 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x7f7ff7b012a0(167)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user root service ssh-connection method none [preauth]
SSH: Server;Ltype: Authname;Remote: 10.0.0.254-57061;Name: root [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 343
debug1: Config token is logingracetime
debug1: Config token is permitrootlogin
debug1: Config token is allowusers
debug1: Config token is authorizedkeysfile
debug1: Config token is passwordauthentication
debug1: Config token is printmotd
debug1: Config token is usepam
debug1: Config token is usedns
debug1: Config token is subsystem
debug3: Trying to reverse map address 10.0.0.254.
>How-To-Repeat:
0) put UseDNS=no to /etc/ssh/sshd_config
1) put the following to /etc/rc.conf:
sshd=YES
sshd_flags="-d -d -d"
2) restart the sshd server
3) connect to the sshd server from a client
4) observe the "Trying to reverse map address <...>." point of debugging output
>Fix:
>Release-Note:
>Audit-Trail:
From: =?ISO-2022-JP?B?GyRCOzBOWD84GyhCKCBNaXdhIFN1c3VtdSAp?= <miwarin@gmail.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/48874
Date: Sun, 12 Oct 2014 12:52:54 +0900
It is because going through auth.c allowed_user() .
crypto/external/bsd/openssh/dist/auth.c
allowed_user(struct passwd * pw)
hostname = get_canonical_hostname(1); <===
allowed_user() is different between NetBSD and OpenSSH (original) .
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c
I do not know why.
--
miwarin
From: rudolf <netbsd@eq.cz>
To: miwarin@gmail.com, Christos Zoulas <christos@netbsd.org>
Cc: gnats-bugs@NetBSD.org
Subject: Re: bin/48874
Date: Tue, 14 Oct 2014 12:51:51 +0200
This is a multi-part message in MIME format.
--------------030409080902050809040708
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
三輪晋( Miwa Susumu ) wrote:
> It is because going through auth.c allowed_user() .
>
> crypto/external/bsd/openssh/dist/auth.c
>
> allowed_user(struct passwd * pw)
> hostname = get_canonical_hostname(1); <===
>
> allowed_user() is different between NetBSD and OpenSSH (original) .
>
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c
>
> I do not know why.
Hi, thank you for looking into this.
Christos, is there a reason NetBSD is using here
"get_canonical_hostname(1)" instead of
"get_canonical_hostname(options.use_dns)"? If not, the attached patch
gets us the right behavior.
Thanks,
r.
--------------030409080902050809040708
Content-Type: text/x-patch;
name="auth.c.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="auth.c.diff"
--- crypto/external/bsd/openssh/dist/auth.c.orig 2014-10-12 21:37:09.000000000 +0200
+++ crypto/external/bsd/openssh/dist/auth.c 2014-10-12 21:40:26.000000000 +0200
@@ -101,7 +101,7 @@
return 0;
#ifdef HAVE_LOGIN_CAP
- hostname = get_canonical_hostname(1);
+ hostname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
lc = login_getclass(pw->pw_class);
--------------030409080902050809040708--
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
netbsd@eq.cz
Cc:
Subject: Re: bin/48874
Date: Tue, 14 Oct 2014 12:15:41 -0400
On Oct 14, 10:55am, netbsd@eq.cz (rudolf) wrote:
-- Subject: Re: bin/48874
| Christos, is there a reason NetBSD is using here
| "get_canonical_hostname(1)" instead of
| "get_canonical_hostname(options.use_dns)"? If not, the attached patch
| gets us the right behavior.
I changed it....
christosk
From: rudolf <netbsd@eq.cz>
To: Christos Zoulas <christos@zoulas.com>, gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/48874
Date: Fri, 17 Oct 2014 10:15:56 +0200
Christos Zoulas wrote:
> I changed it....
Thanks!
I've tested HEAD, the problem is gone. Could you please request pullup
to 7 and 6 and close the PR? Thank you.
Kind regards,
r.
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
netbsd@eq.cz
Cc:
Subject: Re: bin/48874
Date: Fri, 17 Oct 2014 11:37:42 -0400
On Oct 17, 8:20am, netbsd@eq.cz (rudolf) wrote:
-- Subject: Re: bin/48874
| I've tested HEAD, the problem is gone. Could you please request pullup
| to 7 and 6 and close the PR? Thank you.
Done, thanks.
christos
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 27 Dec 2014 23:41:23 +0000
State-Changed-Why:
According to the ticket queues, the pullups have been handled.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.