git: 0fbec53dcfb8 - stable/13 - sshd: do not resolve refused client hostname

Reply: Gleb Smirnoff : "Re: git: 0fbec53dcfb8 - stable/13 - sshd: do not resolve refused client hostname"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Mon, 18 Dec 2023 17:36:17 UTC

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=0fbec53dcfb8d31aa2e3734992e241422e152433

commit 0fbec53dcfb8d31aa2e3734992e241422e152433
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2023-07-20 21:56:20 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-12-18 17:35:47 +0000

    sshd: do not resolve refused client hostname
    
    This is a compromise between POLA and practical reasoning.  We don't
    want to block the main server loop in an attempt to resolve.  But we
    need to keep the format of the logged message as is, for sake of
    sshguard and other scripts.  So let's print just the IP address twice,
    this is what libwrap's refuse() would do if it failed to resolve.
    
    Reviewed by:            philip
    PR:                     269456
    Differential revision:  https://reviews.freebsd.org/D40069
    
    (cherry picked from commit 9ff45b8ed847f9cb7e1cd401278c7f6b30fe8225)
---
 crypto/openssh/sshd.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index ce8db54a2b72..a82b82d08c14 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -1297,13 +1297,24 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 				    SO_LINGER, &l, sizeof(l));
 				(void )close(*newsock);
 				/*
-				 * Mimic message from libwrap's refuse()
-				 * exactly.  sshguard, and supposedly lots
-				 * of custom made scripts rely on it.
+				 * Mimic message from libwrap's refuse() as
+				 * precisely as we can afford.  The authentic
+				 * message prints the IP address and the
+				 * hostname it resolves to in parentheses.  If
+				 * the IP address cannot be resolved to a
+				 * hostname, the IP address will be repeated
+				 * in parentheses.  As name resolution in the
+				 * main server loop could stall, and logging
+				 * resolved names adds little or no value to
+				 * incident investigation, this implementation
+				 * only repeats the IP address in parentheses.
+				 * This should resemble librwap's refuse()
+				 * closely enough not to break auditing
+				 * software like sshguard or custom scripts.
 				 */
 				syslog(LOG_WARNING,
 				    "refused connect from %s (%s)",
-				    eval_client(&req),
+				    eval_hostaddr(req.client),
 				    eval_hostaddr(req.client));
 				debug("Connection refused by tcp wrapper");
 				continue;