On 4/15/07, Ehud Karni <[EMAIL PROTECTED]> wrote:
On Sat, 14 Apr 2007 16:18:20 +1000, Amos Shapira wrote:
>
> That said, I'm not sure that I can trust SSH_CLIENT/SSH_CONNECTION since
> they are passed from the client. Maybe a getpeername(2) on stdin/stdout can
> be used as a more secure way to obtain the client's IP.
You are mistaken. You can trust the SSH_CLIENT/SSH_CONNECTION, it is
taken from the TCP stack, not from the client (same as getpeername).
Yes, I was thinking about this one. Assuming you do get SSH_CLIENT
passed to you by the client that connects, the fact he is passing your
anything means the client has already passed the authentication phase!
I would say that if it was a rouge client you have now bigger problems
then him faking his source IP address to wary about. This to imply
that I trust the openssh folks to not leave such obvious holes in
their software implementation and I assume SSH_CLIENT is safe to rely
on.
Ehud.
Maxim.
--
Ehud Karni Tel: +972-3-7966-561 /"\
Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign
Insurance agencies (USA) voice mail and X Against HTML Mail
http://www.mvs.co.il FAX: 1-815-5509341 / \
GnuPG: 98EA398D <http://www.keyserver.net/> Better Safe Than Sorry
--
Cheers,
Maxim Veksler
"Free as in Freedom" - Do u GNU ?
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
