Bug#352508: authorized_keys handling doesn't canonicalise IP address

[Daniel Stone <daniels@debian.org>]

Package: openssh-server
Version: 3.9p1-2.dsa.3
Severity: normal
Tags: upstream patch

Hi,
Apologies for the weirdo version number.  It's just the small DSA fork
to add global key handling; as far as I know it's otherwise intact, and
the portion of code (match.c) is certainly untouched from the normal -2.

When parsing authorized_keys and matching a from="" attribute
(auth-options.c), there are two possible scenarios, assuming a remote IP
of 131.252.208.34, possibly with reverse DNS of kemper.freedesktop.org:
  * no reverse DNS: remote_ip "::ffff:131.252.208.34", remote_hostname
    "131.252.208.34" (note the difference),
  * reverse DNS: remote_ip "::ffff:131.252.208.34", remote_hostname
    "kemper.freedesktop.org".

So, if you have a from="131.252.208.34" stanza in your authorized_keys,
it will only match if there is no reverse DNS.  from="::ffff:131.252.208.34"
always matches, although it's quite seriously unintuitive.

The attached patch changes match_host_and_ip (host.c) to compare against
the canonicalised IP form (get_canonical_hostname [canohost.c] with
use_dns set to 0), but with the safeguard that it will explicitly not
match 'UNKNOWN', to prevent the user seriously shooting themselves in
the foot.

This appears to have the desired effect on authorized_keys: I can't
speak as to what effect it has on the codebase as a whole, but I don't
imagine it could be terrible.

The attached patch is also available at:
http://annarchy.freedesktop.org/~daniels/openssh-auth_hosts-canonical-ip.diff

Cheers,
Daniel

diff -Nru /tmp/4Uo5dTki1Y/openssh-3.9p1/debian/changelog /tmp/Xki97omQuo/openssh-3.9p1/debian/changelog
--- /tmp/4Uo5dTki1Y/openssh-3.9p1/debian/changelog	2006-02-13 00:58:28.918823296 +1100
+++ /tmp/Xki97omQuo/openssh-3.9p1/debian/changelog	2006-02-13 00:58:29.082798368 +1100
@@ -1,3 +1,10 @@
+openssh (10:3.9p1-2.dsa.3.fdo.1) stable; urgency=low
+
+  * Match on the canonical IP address, as well as the IPv4-in-IPv6
+    encapsulated address.
+
+ -- Daniel Stone <daniels@debian.org>  Sun, 12 Feb 2006 15:37:09 +0200
+
 openssh (10:3.9p1-2.dsa.3) stable; urgency=low
 
   * Fix the epoch in Replaces:
diff -Nru /tmp/4Uo5dTki1Y/openssh-3.9p1/match.c /tmp/Xki97omQuo/openssh-3.9p1/match.c
--- /tmp/4Uo5dTki1Y/openssh-3.9p1/match.c	2002-03-05 12:42:43.000000000 +1100
+++ /tmp/Xki97omQuo/openssh-3.9p1/match.c	2006-02-13 00:58:29.071800040 +1100
@@ -38,6 +38,7 @@
 RCSID("$OpenBSD: match.c,v 1.19 2002/03/01 13:12:10 markus Exp $");
 
 #include "match.h"
+#include "canohost.h"
 #include "xmalloc.h"
 
 /*
@@ -184,16 +185,26 @@
 match_host_and_ip(const char *host, const char *ipaddr,
     const char *patterns)
 {
-	int mhost, mip;
+	int mhost, mip, mipc;
+	char *canonical_ip = NULL;
 
 	/* negative ipaddr match */
 	if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
 		return 0;
+
+	/* negative canonical ipaddr match */
+	canonical_ip = get_canonical_hostname(0);
+	/* since g_c_h can return UNKNOWN, protect users from themselves */
+	mipc = (match_hostname(canonical_ip, patterns, strlen(patterns)) &&
+                (strcmp(canonical_ip, "UNKNOWN") != 0));
+	if (mipc == -1)
+		return 0;
+
 	/* negative hostname match */
 	if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
 		return 0;
 	/* no match at all */
-	if (mhost == 0 && mip == 0)
+	if (mhost == 0 && mip == 0 && mipc == 0)
 		return 0;
 	return 1;
 }