Bug 217925

Summary: OpenSSH does not look up IP addresses properly
Product: [Fedora] Fedora Reporter: Eli Barzilay <eli>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: cra
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-24 15:13:23 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Eli Barzilay 2006-11-30 14:49:18 EST
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
* Always

Steps to Reproduce:
1. Set up a machine `foo.org' that is also known as `bar.com' (through a
   CNAME entry)
2. on the machine, run "ssh bar.com pwd"
3. look in /var/log/secure
  
Actual results:
* The log file will have a bogus alert saying:
    Address <your-ip> maps to foo.org, but this does not map back to the
    address - POSSIBLE BREAK-IN ATTEMPT!

Expected results:
* Not expecting any alerts

Additional info:
  This error message comes from `get_remote_hostname' in "canohost.c" in the
  openssh source.  I traced some of it, and it looks like it gets to do a
  lookup for your real name ("foo.org" in the above example), and that returns
  "127.0.0.1", which is different from "<your-actual-ip>".  You can see that
  by printing the values of `ntop' and `ntop2' (before their comparison fails)
  and see that the first is your IP address, and the second is "127.0.0.1".
Comment 1 Tomas Mraz 2006-11-30 15:21:41 EST
You probably have foo.org in /etc/hosts with the 127.0.0.1 entry.

Otherwise <your-actual-ip> should be returned.
Comment 2 Eli Barzilay 2006-11-30 16:02:33 EST
My 127.0.0.1 entry in /etc/hosts looks like this:

  # Do not remove the following line, or various programs
  # that require network functionality will fail.
  127.0.0.1	foo foo.org localhost.localdomain localhost
  ::1		foo foo.org localhost.localdomain localhost

Are you saying that it should *not* have "foo" and "foo.org" in there?
(That does seems to make the alert message go away, but the comment at the
beginning of the hosts file makes me worried.  I'm not the one who wrote it.)
Comment 3 Tomas Mraz 2007-09-24 15:13:23 EDT
It is written by anaconda during install but when you have actual non localhost
IP the foo and foo.org should be removed manually from these lines and another
entries with the actual IP address should be added.
Comment 4 Eli Barzilay 2007-09-24 15:25:10 EDT
It would be a *very* good idea to make the generated comment
explain all that.  Or at least refer to some url where it is
explained.
Comment 5 Charles R. Anderson 2007-09-27 16:03:25 EDT
Wouldn't this same problem occur if you had multiple IP addresses on the same
server?
Comment 6 Tomas Mraz 2007-09-27 17:41:37 EDT
Only if all of them reverse mapped to a single DNS name and that is clearly
broken setup.

Here the problem is that reverse mapping for external IP maps to foo.org but it
resolves to 127.0.0.1 and not the external IP.
Comment 7 Charles R. Anderson 2007-09-27 18:51:55 EDT
Even if you have an IPv4 and IPv6 address reverse to a single DNS name?