Skip Menu |
 

Date: Tue, 16 Jun 2009 17:23:26 -0400
From: Ed Ravin <eravin@panix.com>
To: krb5-bugs@mit.edu
Subject: krb-1.7 kadmind not logging IP address of requests
Download (untitled) / with headers
text/plain 1.3KiB
Using NetBSD 5.0 on Intel. Upgraded from krb5-1.6.3 with patches to
krb5-1.7. kadmind logging now looks like this:

Jun 16 16:35:36 juggler.panix.com kadmind[14915](Notice): chpw request from <unprintable> for elr@PANIX.COM: success

Looked a little deeper - it's this code in src/kadmin/server/schpw.c
that is kicking in:

if (getnameinfo(ss2sa(&ss), salen,
addrbuf, sizeof(addrbuf), NULL, 0,
NI_NUMERICHOST | NI_NUMERICSERV) != 0)
strlcpy(addrbuf, "<unprintable>", sizeof(addrbuf));

And the return code from getnameinfo was 4 (name resolution failure).

I'm confused by this code, which appears in several spots in krb5 - it
seems to disable logging of source IP addresses of requests if there's
a local resolution error? Why not just show the IP address and leave it
at that?

My build process gave these flags to ./configure (same as what we used for
previous versions):

configflags="\
--prefix=/pkg/$PRODUCT \
--mandir=/pkg/$PRODUCT/man \
CFLAGS='-fstack-protector -D_FORTIFY_SOURCE=2' \
--sysconfdir=/etc/kerberosV \
--localstatedir=/var \
--libdir=/pkg/$PRODUCT/kerblib \
--enable-shared \
"

krb5-config info:

-I/pkg/krb5-1.7/include
-L/pkg/krb5-1.7/kerblib -R/pkg/krb5-1.7/kerblib -lkrb5 -lk5crypto -lcom_err -lresolv

Thanks,

-- Ed
From: Ken Raeburn <raeburn@MIT.EDU>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6513] krb-1.7 kadmind not logging IP address of requests
Date: Tue, 16 Jun 2009 20:18:23 -0400
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.8KiB
On Jun 16, 2009, at 18:08, Ed Ravin via RT wrote:
Show quoted text
> Looked a little deeper - it's this code in src/kadmin/server/schpw.c
> that is kicking in:
>
> if (getnameinfo(ss2sa(&ss), salen,
> addrbuf, sizeof(addrbuf), NULL, 0,
> NI_NUMERICHOST | NI_NUMERICSERV) != 0)
> strlcpy(addrbuf, "<unprintable>", sizeof(addrbuf));
>
> And the return code from getnameinfo was 4 (name resolution failure).

Since NI_NUMERICHOST means to return the numeric form of the host
address and not look up a name, and NI_NUMERICSERV means to do
likewise for the service/port, this sounds like a bug. Though, when
no buffer for the service name is supplied, it is kind of odd to be
passing the NI_NUMERICSERV flag. However, "name resolution failure"
is kind of a strange way to complain about it. I just tried this
little test program on my netbsd 5.0 system and it seems to work fine,
printing out the address as "10.10.10.10":

#include <netdb.h>
#include <stdio.h>
#include <netinet/in.h>
struct sockaddr_in s = {
.sin_len = sizeof(s), .sin_family = AF_INET,
.sin_addr = { .s_addr = 0x0a0a0a0a }, .sin_port = 47,
};
char addrbuf[NI_MAXHOST];
int main () {
int r = getnameinfo((struct sockaddr*)&s, sizeof s, addrbuf,
sizeof(addrbuf),
NULL, 0, NI_NUMERICHOST | NI_NUMERICSERV);
printf("retval=%d/%s addrbuf=%s\n", r, gai_strerror(r), addrbuf);
}

Perhaps something else is amiss, like salen or ss.ss_len being
incorrect and getnameinfo being picky? Or it's unhappy about some
other field in a sockaddr_in6 structure?

Show quoted text
> I'm confused by this code, which appears in several spots in krb5 - it
> seems to disable logging of source IP addresses of requests if there's
> a local resolution error? Why not just show the IP address and
> leave it
> at that?

We are, in fact, trying to do that.

--
Ken Raeburn / raeburn@mit.edu / no longer at MIT Kerberos Consortium