Bug 223448
| Summary: | telnetd refuses connections if nameserver(s) down | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeremy Faith <jfaith> |
| Component: | telnet | Assignee: | Adam Tkac <atkac> |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6 | CC: | d.lesca, ovasik |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-04-13 12:26:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 253392 | ||
|
Description
Jeremy Faith
2007-01-19 14:35:35 UTC
Very similar to bug #223452, patch could be based on rlogind's patch. I'm going to take care about this one -A- I've created proposed fix. Could you test it, please? http://people.redhat.com/atkac/test_srpms/telnet-0.17-38.fc7.src.rpm Regards, Adam Yes, that seems to work fine, thanks. The -c option is not mentioned in the manual page though. But I would just like to confirm that the option is needed. I'm afraid I'm still not convinced that doing this second lookup if EAI_AGAIN is returned reduces security. EAI_AGAIN only happens if the nameserver is down or not configured. If the nameserver is working and the client does not have a reverse DNS entry the first call to getnameinfo will return the IP address in string form(with no error), so telnetd/rlogind have to handle that situation anyway. If you are certain the hostname MUST be available when the -c option is NOT used then you need to use NI_NAMEREQD in the flags argument to the first getnameinfo call. In which case the second call will need to be done if the error returned is EAI_NONAME or EAI_AGAIN and the -c option is used. But I don't think this is a good idea. I believe all of this is caused by a change to the implementation of the getnameinfo function see bug #221583 and #204122. I think the better option is to do the second getnameinfo call if the error is EAI_AGAIN even it the nodns option is not set. I think this covers up the problem with the getnameinfo implementation. Sorry, if I'm not being clear here or missing something but I'm just not getting it. (In reply to comment #3) > Yes, that seems to work fine, thanks. > The -c option is not mentioned in the manual page though. Be sure that you're looking at correct manpage (you must see "man in.telnetd", not only telnetd because this is different version of telnet daemon) I'm not expert about security so better is create new option than create security hole :) -A- You are correct man in.telnetd does mention the -c option, my bad.
relevant section:-
-c This option disables reverse dns checking. Of course that
security is lower with this option
Just to be picky, should it not be 'Of course the' rather than 'Of Course that'.
Mind you I'm not convinced security is lower but fair enough re your decision to
err on the side of caution(seldom a bad move).
After next thinking about this issue I'm going to use patch from Bryn M. Reeves. With this patch -c option is no longer avaliable in Fedora >= 8 and reverse checking is automatically disabled when DNS is unreachable. Adam Yes, the patch for bug #253392 seems better to me. What about rlogind(i.e. bug #223452)? A simliar patch would seem appropriate. (In reply to comment #7) > Yes, the patch for bug #253392 seems better to me. > What about rlogind(i.e. bug #223452)? > A simliar patch would seem appropriate. Yes, I'm going to also drop -D option. But this change will be in F9, not F8 (final F8 freeze is today and rlogind/rshd need more work and I don't have enough time now) Adam |