From dean-debian@arctic.org Thu Jul 8 22:24:38 2004 Date: Thu, 8 Jul 2004 22:24:10 -0700 (PDT) From: dean gaudet To: submit@bugs.debian.org Subject: telnetd -N option to log numeric IPs Package: netkit-telnet-ssl Version: 0.17.24+0.1 this patch adds a -N option so that telnetd will pass a numeric IP to login(1), which in turn passes it to PAM for logging. without this option an attacker with control over their reverse DNS can eliminate some useful forensic log information. i would have preferred to use '-n' like other tools, but it was already taken. -dean Only in netkit-telnet-ssl-0.17.24+0.1.deborig: __conftest.cc diff -rpu netkit-telnet-ssl-0.17.24+0.1.deborig/debian/changelog netkit-telnet-ssl-0.17.24+0.1/debian/changelog --- netkit-telnet-ssl-0.17.24+0.1.deborig/debian/changelog 2004-07-08 22:15:57.000000000 -0700 +++ netkit-telnet-ssl-0.17.24+0.1/debian/changelog 2004-07-08 22:18:18.000000000 -0700 @@ -1,3 +1,10 @@ +netkit-telnet-ssl (0.17.24+0.1-1.dg1) unstable; urgency=low + + * add -N option to disable reverse dns lookups and always log + the IP address. + + -- dean gaudet Thu, 8 Jul 2004 22:17:52 -0700 + netkit-telnet-ssl (0.17.24+0.1-1) unstable; urgency=low * Bring netkit-telnet-ssl in line with current netkit-telnet diff -rpu netkit-telnet-ssl-0.17.24+0.1.deborig/telnetd/telnetd.8 netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.8 --- netkit-telnet-ssl-0.17.24+0.1.deborig/telnetd/telnetd.8 2004-07-08 22:15:57.000000000 -0700 +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.8 2004-07-08 22:17:29.000000000 -0700 @@ -42,7 +42,7 @@ protocol server .Sh SYNOPSIS .Nm /usr/sbin/in.telnetd -.Op Fl hns +.Op Fl hnNs .Op Fl a Ar authmode .Op Fl D Ar debugmode .Op Fl L Ar loginprg @@ -175,6 +175,9 @@ have been idle for some period of time t if the client is still there, so that idle connections from machines that have crashed or can no longer be reached may be cleaned up. +.It Fl N +Disable reverse DNS lookups and use the numeric IP address in logs +and REMOTEHOST environment variable. .It Fl s This option is only enabled if .Nm telnetd diff -rpu netkit-telnet-ssl-0.17.24+0.1.deborig/telnetd/telnetd.c netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.c --- netkit-telnet-ssl-0.17.24+0.1.deborig/telnetd/telnetd.c 2004-07-08 22:15:57.000000000 -0700 +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.c 2004-07-08 22:15:36.000000000 -0700 @@ -90,6 +90,7 @@ int hostinfo = 1; /* do we print login int debug = 0; int keepalive = 1; +int numeric_hosts = 0; #ifdef LOGIN_WRAPPER char *loginprg = LOGIN_WRAPPER; #else @@ -228,7 +229,7 @@ main(int argc, char *argv[], char *env[] ssl_key_file=NULL; #endif /* USE_SSL */ - while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:z:")) != EOF) { + while ((ch = getopt(argc, argv, "d:a:e:lhnNr:I:D:B:sS:a:X:L:z:")) != EOF) { switch(ch) { #ifdef USE_SSL @@ -389,6 +390,10 @@ main(int argc, char *argv[], char *env[] keepalive = 0; break; + case 'N': + numeric_hosts = 1; + break; + #ifdef SecurID case 's': /* SecurID required */ @@ -872,7 +877,8 @@ doit(struct sockaddr *who, socklen_t who /* get name of connected client */ if (getnameinfo(who, who_len, remote_host_name, - sizeof(remote_host_name), 0, 0, 0)) { + sizeof(remote_host_name), 0, 0, + numeric_hosts ? NI_NUMERICHOST : 0)) { syslog(LOG_ERR, "doit: getnameinfo: %m"); *remote_host_name = 0; }