1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
|
Description: Resolve remote host as numeric host identifier.
Implement a new switch '-N' in the server, avoiding reverse DNS
resolution and instead registering a numeric host representation.
The environment variable REMOTEHOST is set to this numeric address.
.
The change could be of benefit in PAM rules for access control as well
as for accounting and tracing of network activity. In addition, the use
of '-N' mitigates cases when a hostile third party might have gained
control of reverse DNS resolution and is trying to inject fake answers.
Author: Dean Gaudet
Bug-Debian: http://bugs.debian.org/258371
Comment: The patch was first applied to netkit-telnet-ssl.
Last-Update: 2004-12-05
--- netkit-telnet-0.17/telnetd/telnetd.c.orig
+++ netkit-telnet-0.17/telnetd/telnetd.c
@@ -86,6 +86,7 @@ int hostinfo = 1; /* do we print login
int debug = 0;
int keepalive = 1;
+int numeric_hosts = 0;
#ifdef LOGIN_WRAPPER
char *loginprg = LOGIN_WRAPPER;
#else
@@ -220,7 +221,7 @@ main(int argc, char *argv[], char *env[]
pfrontp = pbackp = ptyobuf;
netip = netibuf;
- while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:")) != EOF) {
+ while ((ch = getopt(argc, argv, "d:a:e:lhnNr:I:D:B:sS:a:X:L:")) != EOF) {
switch(ch) {
#ifdef AUTHENTICATE
@@ -319,6 +320,10 @@ main(int argc, char *argv[], char *env[]
keepalive = 0;
break;
+ case 'N':
+ numeric_hosts = 1;
+ break;
+
#ifdef SecurID
case 's':
/* SecurID required */
@@ -680,7 +685,8 @@ doit(struct sockaddr *who, socklen_t who
/* get name of connected client */
if (getnameinfo(who, who_len, remote_host_name,
- sizeof(remote_host_name), 0, 0, 0)) {
+ sizeof(remote_host_name), 0, 0,
+ numeric_hosts ? NI_NUMERICHOST : 0)) {
syslog(LOG_ERR, "doit: getnameinfo: %m");
*remote_host_name = 0;
}
--- netkit-telnet-0.17/telnetd/telnetd.8.orig
+++ netkit-telnet-0.17/telnetd/telnetd.8
@@ -42,7 +42,7 @@
protocol server
.Sh SYNOPSIS
.Nm /usr/sbin/in.telnetd
-.Op Fl hns
+.Op Fl hnNs
.Op Fl a Ar authmode
.Op Fl D Ar debugmode
.Op Fl L Ar loginprg
@@ -176,6 +176,9 @@
if the client is still there, so that idle connections
from machines that have crashed or can no longer
be reached may be cleaned up.
+.It Fl N
+Disable reverse DNS lookups and use the numeric IP address in logs
+and REMOTEHOST environment variable.
.It Fl s
This option is only enabled if
.Nm telnetd
|