Re: showing full host names in output from who/finger/last

1999-04-12 Thread David Wolfskill 
>Date: Sun, 11 Apr 1999 19:05:30 -0400 (EDT)
>From: Robert Watson 

>I'd actually like to see wtmp only use IP addresses, never hostnames. 

I would prefer to have that be an installation-selectable option, at
least.

>Spoofed names are fairly easy to arrange; with IP filtering on border
>routers, spoofed IPs are harder.  Besides which, connections are from IPs
>and not names.  :-)  This of course sticks you with the task of DNS
>lookups when viewing wtmp, when you may already have done them at login
>time.  Probably ideally, we'd have two variable length fields, one for a
>network-supplied source, and one for a transformed source such as name,
>display name (:0), etc.  But that requires modifying the record
>format, which is always a pain.

In my case, it's more because I expect the association of hostname <-> IP
address to be rather transient compared to the interval during which the
information might be useful:  although it may be of interest to know what
the hostname was at the time of the original event, it's more likely to
be useful for me to know the IP address at the time.  And merely because
I know one of those *now* doesn't mean that I necessarily know what the
other was *then*.

(And yes, this is more of a concern when investigating such things as
dropped (but logged) ICMP redirects targeted at some of our perimeter
hosts, for example.  I'm rather less concerned within our internal nets.)

Cheers,
david
-- 
David Wolfskill UNIX System Administrator
d...@whistle.comvoice: (650) 577-7158   pager: (650) 371-4621


To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-current" in the body of the message

Re: showing full host names in output from who/finger/last

1999-04-12 Thread Robert Watson 
On Mon, 12 Apr 1999, N wrote:

> Hi,
> 
> > I don't use the FreeBSD patched version, as I use the version with the
> > KerberosIV patches (unfortunately the FreeBSD port doesn't do that, but I
> > don't have time just now to make it do that :-). It seems to put the IP
> > address into the wtmp correctly. 
> 
> Are those patches freely available somewhere?

Niels,

Dug Song's kerberosiv patches are available at

http://www.monkey.org/~dugsong/ssh-afs-kerberos.html

He also has various other kerberos patches on his page there.  I submitted
a fix or two a little while ago to correct some problems with multi-homed
hosts.  I imagine they're in there at this point, but I haven't checked.

  Robert N Watson 

rob...@fledge.watson.org  http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon Universityhttp://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services http://www.safeport.com/



To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-current" in the body of the message

Re: showing full host names in output from who/finger/last

1999-04-12 Thread Robert Watson 
On Mon, 12 Apr 1999, Brian Somers wrote:

> [.]
> > I got sick of seing "invalid hostname" in my wtmps a while ago on my 2.x
> > machines.  That is an exceptionally useless piece of behavior, if you ask
> > me.  Sshd writes out IPs and I find that to be much more consistent (and
> > useful).
> 
> Sshd gets it wrong though.  It gets the full hostname and then a 
> freebsd patch changes that to an IP if the name is >UT_HOSTSIZE.

I don't use the FreeBSD patched version, as I use the version with the
KerberosIV patches (unfortunately the FreeBSD port doesn't do that, but I
don't have time just now to make it do that :-). It seems to put the IP
address into the wtmp correctly. 

But anyhow; my preference is still to either a) using only IP addresses,
or b) using two fields, one for each.  Given that connections logically
come from IP addresses, performing a transformation based on an unreliable
insecure mechanism like DNS seems like a bad idea.  It's convenient to
look at (hence a look at option b).

  Robert N Watson 

rob...@fledge.watson.org  http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon Universityhttp://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services http://www.safeport.com/



To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-current" in the body of the message

Re: showing full host names in output from who/finger/last

1999-04-12 Thread Brian Somers 
[.]
> I got sick of seing "invalid hostname" in my wtmps a while ago on my 2.x
> machines.  That is an exceptionally useless piece of behavior, if you ask
> me.  Sshd writes out IPs and I find that to be much more consistent (and
> useful).

Sshd gets it wrong though.  It gets the full hostname and then a 
freebsd patch changes that to an IP if the name is >UT_HOSTSIZE.

In -current, this behaviour has been changed to call trimdomain() 
(trimdomain() has just been documented too), and if the result still 
doesn't fit in UT_HOSTSIZE it reverts to an IP number.  This should 
be pretty consistent for all the stuff in libexec now too.

>   Robert N Watson 
> 
> rob...@fledge.watson.org  http://www.watson.org/~robert/
> PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C
> 
> Carnegie Mellon Universityhttp://www.cmu.edu/
> TIS Labs at Network Associates, Inc.  http://www.tis.com/
> Safeport Network Services http://www.safeport.com/

-- 
Brian 
     
Don't _EVER_ lose your sense of humour !  




To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-current" in the body of the message

Re: showing full host names in output from who/finger/last

1999-04-12 Thread Rahul Dhesi 
Robert Watson  writes:

> I'd actually like to see wtmp only use IP addresses, never hostnames. 
> Spoofed names are fairly easy to arrange; with IP filtering on border
> routers, spoofed IPs are harder
> This of course sticks you with the task of DNS
> lookups when viewing wtmp, when you may already have done them at login
> time

The 'finger', 'who', and 'w' commands on the SunOS machines here all do
DNS lookups for longer hostnames, and it's rare that there is any
significant DNS lookup delay.  The reasons are simple:  The lookup was
done when the user logged in, so the DNS server has the answer in its
cache.  And even if not, if anybody did finger/who/w in the recent past,
that caused the answer to be brought into the name server's cache.

(I do run BIND with negative caching enabled, which probably helps keep
delays short for reverse lookups where some name server is not
responding.)

Rahul


To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-current" in the body of the message

Re: showing full host names in output from who/finger/last

1999-04-11 Thread Brian Somers 
> For some years I have been using patched utilities under SunOS to show
> full host names in the output from the 'who', 'finger', and 'last'
> commands.  (Traditional UNIXes truncate host names to about 16
> characters.)
> 
> I have been thinking of patching FreeBSD programs to do the same, but
> since I have been updating my source tree often, it will be a bit
> painful to maintain my changes through the updates.  So I will do it
> only if the FreeBSD developers would be willing to incorporate my
> changes into the official FreeBSD source tree.  Below is what I would 
> do -- tell me if it could be make a part of FreeBSD.
> 
> - Update all programs that write to utmp and wtmp to check the host name
>   length, and if it's too long, insert the IP address instead

I've been doing this in current in the last few days.  There's now a 
new function in libutil called realhostname().  You pass it a maximum 
fields size (UT_HOSTSIZE?).  If it can fit the gethostbyaddr() result 
into the field, AND that name resolves back to the same IP number, 
the full host name is used, otherwise the IP number is used.

The trimdomain() function has also been fixed and documented.

I believe all the stuff in libexec now works and I've just committed 
some ssh patches that'll do the same for sshd.

> - Update all of the above programs, if they accept a host name on the
>   command line, to also accept an additional argument that specifies
>   the IP address.
> - Update all programs that invoke the above programs and supply a
>   host name to also supply the IP address.

I think the host name that's passed should be considered correct.  
However, if it doesn't fit in the ut_host field, a gethostbyname() is 
required.  Passing an IP number would therefore probably be a quite 
good addition if it avoids that call.

> - Update all programs that look up wtmp and utmp such that, if they find
>   an IP address, they do a double-reverse DNS resolution (IP address ->
>   fqdn -> IP address) and, if successful and consistent, display the
>   host name instead of the IP address.  The user may if he wishes supply
>   a command-line argument to suppress the reverse resolution and cause
>   the IP address to be displayed directly.

I'd agree with Matt here - don't make the default suddenly require 
lookups, but I'd say that if a lookup is being done, it should be a 
correct double lookup (realhostname() from libutil).

> For example, rlogind might invoke /usr/bin/login as:
> 
>/usr/bin/login -h 98.portland-23-24rs.or.dial-access.att.net -i 
> 12.73.137.98
> 
> /usr/bin/login notices that the host name is too long, inserts
> 12.73.137.98 into utmp and wtmp.  If no -i argument is available,
> /usr/bin/login would do a forward DNS resolution of the host name to get
> the IP address.

Yep.  This sounds pretty rational.

> Below are samples from the 'last' and 'finger' commands with only the
> really long host names included and some information x'd out to protect
> user privacy.  (Obviously comumnar alignment doesn't work as well for
> very long host names, but only a small fraction are that long.  The rest
> will display normally in aligned columns.)
> 
> == output from 'finger ==
> LoginName   Idle   When Where
> xx   xx7  Apr  9 13:14  kaibab.redbacknetworks.com
> xxx  xxx  Apr 10 16:37  dyn164.rahul.net
>    8  Apr 10 16:48  c166.ppp.tsoft.com
> xxxx  Apr  9 23:35  \
>  
> cxxx-x.x.occa.home.com
> x *   10  Apr 10 16:44  01-025.006.popsite.net
> 
> == output from 'last' ==
> xxx   s1  98.portland-23-24rs.or.dial-access.att.net Sat Apr 10 16:50 - 
> 16:50  (00:00)
> xxrd  oak-hiper1b-145-145.dialup.slip.net Sat Apr 10 16:48 - 16:51  
> (00:03)
>   p6  netcom14.netcom.comSat Apr 10 15:36 - 15:39  (00:03)
> x s2  adsl-xxx-xxx-xxx-10.dsl.snfc21.pacbell.net Sat Apr 10 13:51 - 
> 13:52  (00:00)
>   sb  tnt9-xxx-xxx-17-189.dialup.HiWAAY.net Sat Apr 10 12:54 - 14:54  
> (02:00)
> xxs2  oak-hiper1a-15-79.dialup.slip.net Sat Apr 10 12:37 - 12:40  
> (00:02)
>   r2  dnai-207-181-255-82.dialup.dnai.com Sat Apr 10 11:41 - 13:58  
> (02:17)
> xxx   q8  sdn-ar-001casfraP195.dialsprint.net Sat Apr 10 08:28 - 13:30  
> (05:01)
> == END ==

This is fine for ``w'' as I believe it already does the lookup.  But 
in the ``who'' and ``last'' cases, they should display the contents 
of ut_host by default unless some consistent option is used - it's a 
pity that this is the opposite of the -n option to route/netstat and 
probably others :-(

I'll review & commit your changes when you've got them done if you 
haven't already got someone.
-- 
Brian 
     
Don't _EVER_ lose your sense of humour !

Re: showing full host names in output from who/finger/last

1999-04-11 Thread Robert Watson 
On Sat, 10 Apr 1999, Rahul Dhesi wrote:

> For some years I have been using patched utilities under SunOS to show
> full host names in the output from the 'who', 'finger', and 'last'
> commands.  (Traditional UNIXes truncate host names to about 16
> characters.)
> 
> I have been thinking of patching FreeBSD programs to do the same, but
> since I have been updating my source tree often, it will be a bit
> painful to maintain my changes through the updates.  So I will do it
> only if the FreeBSD developers would be willing to incorporate my
> changes into the official FreeBSD source tree.  Below is what I would 
> do -- tell me if it could be make a part of FreeBSD.
> 
> - Update all programs that write to utmp and wtmp to check the host name
>   length, and if it's too long, insert the IP address instead

Hi there.

I'd actually like to see wtmp only use IP addresses, never hostnames. 
Spoofed names are fairly easy to arrange; with IP filtering on border
routers, spoofed IPs are harder.  Besides which, connections are from IPs
and not names.  :-)  This of course sticks you with the task of DNS
lookups when viewing wtmp, when you may already have done them at login
time.  Probably ideally, we'd have two variable length fields, one for a
network-supplied source, and one for a transformed source such as name,
display name (:0), etc.  But that requires modifying the record
format, which is always a pain.

I got sick of seing "invalid hostname" in my wtmps a while ago on my 2.x
machines.  That is an exceptionally useless piece of behavior, if you ask
me.  Sshd writes out IPs and I find that to be much more consistent (and
useful).

  Robert N Watson 

rob...@fledge.watson.org  http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon Universityhttp://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services http://www.safeport.com/



To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-current" in the body of the message

Re: showing full host names in output from who/finger/last

1999-04-10 Thread Matthew Dillon 

:For some years I have been using patched utilities under SunOS to show
:full host names in the output from the 'who', 'finger', and 'last'
:commands.  (Traditional UNIXes truncate host names to about 16
:characters.)
:
:I have been thinking of patching FreeBSD programs to do the same, but
:since I have been updating my source tree often, it will be a bit
:painful to maintain my changes through the updates.  So I will do it
:only if the FreeBSD developers would be willing to incorporate my
:changes into the official FreeBSD source tree.  Below is what I would 
:do -- tell me if it could be make a part of FreeBSD.
:
:- Update all programs that write to utmp and wtmp to check the host name
:  length, and if it's too long, insert the IP address instead
:- Update all of the above programs, if they accept a host name on the
:  command line, to also accept an additional argument that specifies
:  the IP address.
:- Update all programs that invoke the above programs and supply a
:  host name to also supply the IP address.
:- Update all programs that look up wtmp and utmp such that, if they find
:  an IP address, they do a double-reverse DNS resolution (IP address ->
:  fqdn -> IP address) and, if successful and consistent, display the
:  host name instead of the IP address.  The user may if he wishes supply
:  a command-line argument to suppress the reverse resolution and cause
:  the IP address to be displayed directly.

This sounds just dandy.  Note that 'w' already does a reverse lookup,
but not a double-reverse.

For some programs, like 'last', it is not convenient to do the DNS lookup
by default - in this case you would want to supply an option to 'last' to
make it do the lookups.  The reason you do not want to do it by default
with 'last' is that wtmp can be huge and many people run 'last' output
through greps from cron and expect it to not take forever.

As long as we don't mess with the size of the utmp or wtmp structure,
which by the above I believe you mean to say that we don't... then I'm
all for it!

-Matt
Matthew Dillon 




To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-current" in the body of the message