From nobody Thu Jul 20 21:58:09 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R6RQ95TN8z4nqTh; Thu, 20 Jul 2023 21:58:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R6RQ94cTkz43Df; Thu, 20 Jul 2023 21:58:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689890289; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KNhqxRwkt40fsorc81XCK1qjV/RBado7dJpQPdXBERE=; b=wqvrRWpDuxFa7gZzpK1tJw9eooPbWf/a3GUbWEnKTb3rNAC0n2AXzgwK6tPlP53tHHmOTq eMcrQKtMpEruT6dJf8wGA8HBQzYXX0joLgbmYNVXSos4V4K+VyenDA5Kqe6VQtIkr4MtJY /r3/t2dJHwztU1ECfmQqMglx6UaXqeu5eCumit2EGCavV81l0iMrCWWlTfw6HiGjgbgQdw komM0sDRFefzrWSG94Y5or3lRzA3U56h3VD6Unm2g8wi0nVfQywW+SlOsOIuAmk4gDUu28 D70U93Bmcq8TdlDwOq1jzGmw2Zf6/MZpsNdziCF94xB2myCdz8wmJDSW7n3L7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689890289; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KNhqxRwkt40fsorc81XCK1qjV/RBado7dJpQPdXBERE=; b=JjW0tKrZm2mQpUogFASGvtjZPykPhT2qvu7nv7wxM22p8D2i8k6LmTc9J2HpQsi7nnbb0m 93icMgjLKPoGOWTcyl3ZUXuCIH0uvaJlJKgnpwqd0mYe8DSpqUhTHKzZGgrjE6c9xh7cf+ Hyj4BwUPUj7xEUOCmn4AvHwQFZ+i3ZLyAkn8dAvMiiyGq4OhGKG06B5aaGA90Vwj1cb1uH szgGCqXQ09glZkUkZTtyglEOvqQ/PLYPEoHFi++ctjKftFQnAhLpb3XGSZNbd1Hj63bqwI ojH7mwUaaFlrpH+lBwhDvEfLovrUVkTLpw21Wv1XDHgMTWV2Q5qSJIk3kn/G9Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1689890289; a=rsa-sha256; cv=none; b=JbLThsPr/OWhH7830x3f0UsbUROWz0fGnHO/L9Cr6gINFn5zICWy4l0p7RmssWE5tIWBCz vA4pHa5fyVXm7WirlbAq/8CalCtJFgX96MBOwpPoeYy+ZicmPOxsOC1HDLyB1bnqCin9xt n4SyTodlP8mIygDCaO4DVvjYbxvbFWPFuQR/73o2dILmTXdyCE6XkaZUEuTZK6MuP+9nPv v+3GpxLTZrsdXx2VTzwidNs/JEQNLZllWWEYHuECkF0byPHkn2l6Tdx8Fx/5GE2AVrVYET IqJjzxYjYmGspl+RDzWCnYQiAncIHUxJ2zSVUUNmiNrT9CF3NYqhe8xRDkHZzA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R6RQ93XTFzmvt; Thu, 20 Jul 2023 21:58:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 36KLw91D052201; Thu, 20 Jul 2023 21:58:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 36KLw9PG052200; Thu, 20 Jul 2023 21:58:09 GMT (envelope-from git) Date: Thu, 20 Jul 2023 21:58:09 GMT Message-Id: <202307202158.36KLw9PG052200@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Gleb Smirnoff Subject: git: 9ff45b8ed847 - main - sshd: do not resolve refused client hostname List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: glebius X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9ff45b8ed847f9cb7e1cd401278c7f6b30fe8225 Auto-Submitted: auto-generated The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=9ff45b8ed847f9cb7e1cd401278c7f6b30fe8225 commit 9ff45b8ed847f9cb7e1cd401278c7f6b30fe8225 Author: Gleb Smirnoff AuthorDate: 2023-07-20 21:56:20 +0000 Commit: Gleb Smirnoff CommitDate: 2023-07-20 21:56:20 +0000 sshd: do not resolve refused client hostname This is a compromise between POLA and practical reasoning. We don't want to block the main server loop in an attempt to resolve. But we need to keep the format of the logged message as is, for sake of sshguard and other scripts. So let's print just the IP address twice, this is what libwrap's refuse() would do if it failed to resolve. Reviewed by: philip PR: 269456 Differential revision: https://reviews.freebsd.org/D40069 --- crypto/openssh/sshd.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index ce8db54a2b72..a82b82d08c14 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -1297,13 +1297,24 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) SO_LINGER, &l, sizeof(l)); (void )close(*newsock); /* - * Mimic message from libwrap's refuse() - * exactly. sshguard, and supposedly lots - * of custom made scripts rely on it. + * Mimic message from libwrap's refuse() as + * precisely as we can afford. The authentic + * message prints the IP address and the + * hostname it resolves to in parentheses. If + * the IP address cannot be resolved to a + * hostname, the IP address will be repeated + * in parentheses. As name resolution in the + * main server loop could stall, and logging + * resolved names adds little or no value to + * incident investigation, this implementation + * only repeats the IP address in parentheses. + * This should resemble librwap's refuse() + * closely enough not to break auditing + * software like sshguard or custom scripts. */ syslog(LOG_WARNING, "refused connect from %s (%s)", - eval_client(&req), + eval_hostaddr(req.client), eval_hostaddr(req.client)); debug("Connection refused by tcp wrapper"); continue;