Date: Thu, 20 Jul 2023 21:58:09 GMT From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 9ff45b8ed847 - main - sshd: do not resolve refused client hostname Message-ID: <202307202158.36KLw9PG052200@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=9ff45b8ed847f9cb7e1cd401278c7f6b30fe8225 commit 9ff45b8ed847f9cb7e1cd401278c7f6b30fe8225 Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2023-07-20 21:56:20 +0000 Commit: Gleb Smirnoff <glebius@FreeBSD.org> CommitDate: 2023-07-20 21:56:20 +0000 sshd: do not resolve refused client hostname This is a compromise between POLA and practical reasoning. We don't want to block the main server loop in an attempt to resolve. But we need to keep the format of the logged message as is, for sake of sshguard and other scripts. So let's print just the IP address twice, this is what libwrap's refuse() would do if it failed to resolve. Reviewed by: philip PR: 269456 Differential revision: https://reviews.freebsd.org/D40069 --- crypto/openssh/sshd.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index ce8db54a2b72..a82b82d08c14 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -1297,13 +1297,24 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) SO_LINGER, &l, sizeof(l)); (void )close(*newsock); /* - * Mimic message from libwrap's refuse() - * exactly. sshguard, and supposedly lots - * of custom made scripts rely on it. + * Mimic message from libwrap's refuse() as + * precisely as we can afford. The authentic + * message prints the IP address and the + * hostname it resolves to in parentheses. If + * the IP address cannot be resolved to a + * hostname, the IP address will be repeated + * in parentheses. As name resolution in the + * main server loop could stall, and logging + * resolved names adds little or no value to + * incident investigation, this implementation + * only repeats the IP address in parentheses. + * This should resemble librwap's refuse() + * closely enough not to break auditing + * software like sshguard or custom scripts. */ syslog(LOG_WARNING, "refused connect from %s (%s)", - eval_client(&req), + eval_hostaddr(req.client), eval_hostaddr(req.client)); debug("Connection refused by tcp wrapper"); continue;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202307202158.36KLw9PG052200>