Bug 217925 - OpenSSH does not look up IP addresses properly
Summary: OpenSSH does not look up IP addresses properly
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-30 19:49 UTC by Eli Barzilay
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-24 19:13:23 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Eli Barzilay 2006-11-30 19:49:18 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
* Always

Steps to Reproduce:
1. Set up a machine `foo.org' that is also known as `bar.com' (through a
   CNAME entry)
2. on the machine, run "ssh bar.com pwd"
3. look in /var/log/secure
  
Actual results:
* The log file will have a bogus alert saying:
    Address <your-ip> maps to foo.org, but this does not map back to the
    address - POSSIBLE BREAK-IN ATTEMPT!

Expected results:
* Not expecting any alerts

Additional info:
  This error message comes from `get_remote_hostname' in "canohost.c" in the
  openssh source.  I traced some of it, and it looks like it gets to do a
  lookup for your real name ("foo.org" in the above example), and that returns
  "127.0.0.1", which is different from "<your-actual-ip>".  You can see that
  by printing the values of `ntop' and `ntop2' (before their comparison fails)
  and see that the first is your IP address, and the second is "127.0.0.1".

Comment 1 Tomas Mraz 2006-11-30 20:21:41 UTC
You probably have foo.org in /etc/hosts with the 127.0.0.1 entry.

Otherwise <your-actual-ip> should be returned.


Comment 2 Eli Barzilay 2006-11-30 21:02:33 UTC
My 127.0.0.1 entry in /etc/hosts looks like this:

  # Do not remove the following line, or various programs
  # that require network functionality will fail.
  127.0.0.1	foo foo.org localhost.localdomain localhost
  ::1		foo foo.org localhost.localdomain localhost

Are you saying that it should *not* have "foo" and "foo.org" in there?
(That does seems to make the alert message go away, but the comment at the
beginning of the hosts file makes me worried.  I'm not the one who wrote it.)


Comment 3 Tomas Mraz 2007-09-24 19:13:23 UTC
It is written by anaconda during install but when you have actual non localhost
IP the foo and foo.org should be removed manually from these lines and another
entries with the actual IP address should be added.


Comment 4 Eli Barzilay 2007-09-24 19:25:10 UTC
It would be a *very* good idea to make the generated comment
explain all that.  Or at least refer to some url where it is
explained.


Comment 5 Charles R. Anderson 2007-09-27 20:03:25 UTC
Wouldn't this same problem occur if you had multiple IP addresses on the same
server?

Comment 6 Tomas Mraz 2007-09-27 21:41:37 UTC
Only if all of them reverse mapped to a single DNS name and that is clearly
broken setup.

Here the problem is that reverse mapping for external IP maps to foo.org but it
resolves to 127.0.0.1 and not the external IP.

Comment 7 Charles R. Anderson 2007-09-27 22:51:55 UTC
Even if you have an IPv4 and IPv6 address reverse to a single DNS name?



Note You need to log in before you can comment on or make changes to this bug.