|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: Greg Hudson <ghudson@MIT.EDU> To: Derek Atkins <warlord@mit.edu> Cc: bugs@mit.edu In-Reply-To: <sjmadvowks3.fsf@indiana.mit.edu> Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: 10 Jan 2002 10:21:28 -0500 Message-Id: <1010676088.1138.2.camel@error-messages.mit.edu> Mime-Version: 1.0 On Tue, 2002-01-08 at 17:16, Derek Atkins wrote: > The following patch to ssh will fix the problem of trying to ssh to a > host that does not have proper reverse resolution. It will try the > canonical hostname (reverse-resolution of getpeername()) first, and if > that fails it will fallback to the name provided by the user. So, I don't like either the old behavior or your proposed behavior. The old behavior fails on hosts without proper PTR records, and your behavior fails on hosts without proper PTR records when what you typed in was a short name or cname for the hostname. It is my understanding that any reasonable modern resolver (like, post-SunOS) will return the canonical name of a host in the h_name field of the hostent structure on return from gethostbyname(), e.g. if I try to resolve "tkl", I get: Resolved: tkl h_name: TAE-KWON-LEAP.mit.edu h_aliases[0]: tkl.mit.edu h_addr[0]: 18.179.0.20 where h_aliases[0] is the search path entry which resolved and h_name is the cname. It seems like Kerberos clients should be using this feature rather than mucking around with reverse resolution. True, that won't work for a host with multiple names (all A records, not CNAMES) and only a keytab for the host listed in its PTR record, but that doesn't particularly bother me. (There is, of course, the standard argument that someone could have forged the CNAME response and convinced you to authenticate to a completely different host than you typed. That argument suggests using h_aliases[0] when it exists in the hostent, and means that cnames won't work unless hosts have keytab records for their cnames as well as their canonical names. But certainly no MIT Kerberos clients have ever listened to that argument.)
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |