undo changes for termining target GSSAPI service name that avoided DNS

because Globus and Kerberos want to use DNS irrespective of DNS spoofing
concerns

diff --git a/openssh/canohost.c b/openssh/canohost.c
index b8d92b2891c543e493a187fea8cd0bc6266d90f7..77c75bb0cd06dcd153e96f392957ae9c53726896 100644 (file)
--- a/openssh/canohost.c
+++ b/openssh/canohost.c
@@ -360,74 +360,28 @@ get_local_port(void)
        return get_port(1);
 }
 
-/* If *host is a name for the loopback interface, try to change
-   it to local hostname (not necessarily fully-qualified). */
 void
-resolve_localhost(char **host)
+resolve_hostname(char **host)
 {
     struct hostent *hostinfo;
 
     hostinfo = gethostbyname(*host);
-    if (hostinfo &&
-       hostinfo->h_addrtype == AF_INET) {
+    if (hostinfo == NULL || hostinfo->h_name == NULL) {
+       debug("gethostbyname(%s) failed", *host);
+       return;
+    }
+    if (hostinfo->h_addrtype == AF_INET) { /* check for localhost */
        struct in_addr addr;
        addr = *(struct in_addr *)(hostinfo->h_addr);
        if (ntohl(addr.s_addr) == INADDR_LOOPBACK) {
            char buf[MAXHOSTNAMELEN];
-           if (gethostname(buf, sizeof(buf)) == 0) {
-               xfree(*host);
-               *host = xstrdup(buf);
-           }
-       }
-    }
-}
-
-/* A (hopefully) portable way to make a fully-qualified hostname for
-   GSSAPI authentication without relying on a potentially remote,
-   untrusted resolver.
-   Note: getdomainname() is not portable.
-*/
-void
-make_fqhn(char **host)
-{
-    char *domainname = NULL, *fqhn = NULL, myhn[MAXHOSTNAMELEN];
-    struct hostent *hent = NULL;
-    int i;
-
-    if (strchr(*host, '.')) {
-       return;                 /* already fully qualified */
-    }
-
-    /* Otherwise, figure out our local domainname without using
-       getdomainname(). */
-    if (gethostname(myhn, sizeof(myhn)) < 0) {
-       debug("gethostname() failed, can't convert %s to fqhn", *host);
-       return;
-    }
-    if ((domainname = strchr(myhn, '.')) == NULL) {
-       
-       /* Resolving our local hostname should be secure
-          (unlike resolving a remote hostname). */
-       if ((hent = gethostbyname(myhn)) != NULL) {
-           if ((domainname = strchr(hent->h_name, '.')) == NULL) {
-               for (i=0;
-                    hent->h_aliases[i] &&
-                        (domainname =
-                         strchr(hent->h_aliases[i], '.')) == NULL;
-                    i++);
+           if (gethostname(buf, sizeof(buf)) < 0) {
+               debug("gethostname() failed");
+               return;
            }
+           hostinfo = gethostbyname(buf);
        }
     }
-
-    if (domainname) {
-       domainname++;
-       fqhn = xmalloc(strlen(*host)+strlen(domainname)+2);
-       sprintf(fqhn, "%s.%s", *host, domainname);
-       xfree(*host);
-       *host = fqhn;
-       return;
-    }
-
-    debug("unable to determine fully-qualified local hostname");
-    return;
+    free(*host);
+    *host = strdup(hostinfo->h_name);
 }

diff --git a/openssh/canohost.h b/openssh/canohost.h
index e31e50aaa9632d69b26655139543612c86b6d594..66b952cc12c916af0d08968f2d29c395ea021ded 100644 (file)
--- a/openssh/canohost.h
+++ b/openssh/canohost.h
@@ -24,5 +24,4 @@ char          *get_local_name(int);
 int             get_remote_port(void);
 int             get_local_port(void);
 
-void            resolve_localhost(char **host);
-void            make_fqhn(char **host);
+void            resolve_hostname(char **host);

diff --git a/openssh/gss-genr.c b/openssh/gss-genr.c
index 334536e0ab19ad4bf69808908507debd929c8fae..b5fe5c4cfffe7867071fcef0741a5a92cfa4999a 100644 (file)
--- a/openssh/gss-genr.c
+++ b/openssh/gss-genr.c
@@ -453,13 +453,9 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) {
         * previous call to gethostbyname(). */ 
        xhost = xstrdup(host);
 
-       /* If xhost is the loopback interface, switch it to our
-          true local hostname. */
-       resolve_localhost(&xhost);
-
        /* Make sure we have the FQHN. Some GSSAPI implementations don't do
         * this for us themselves */
-       make_fqhn(&xhost);
+       resolve_hostname(&xhost);
 
         gssbuf.length = sizeof("host@")+strlen(xhost);
 

diff --git a/openssh/sshconnect1.c b/openssh/sshconnect1.c
index c7845a32461fc508f68c93ee3fa1f25647e80db0..20fcb5af0ee6e02b2203f71ab38a009dd8db956a 100644 (file)
--- a/openssh/sshconnect1.c
+++ b/openssh/sshconnect1.c
@@ -1051,13 +1051,9 @@ int try_gssapi_authentication(char *host, Options *options)
    * previous call to gethostbyname(). */      
   xhost = xstrdup(host);
 
-  /* If xhost is the loopback interface, switch it to our
-     true local hostname. */
-  resolve_localhost(&xhost);
-
   /* Make sure we have the FQHN. Some GSSAPI implementations don't do
    * this for us themselves */
-  make_fqhn(&xhost);
+  resolve_hostname(&xhost);
 
   /*
    * Default flags