diff options
| author | peter <peter@FreeBSD.org> | 1998-12-16 07:20:45 +0000 |
|---|---|---|
| committer | peter <peter@FreeBSD.org> | 1998-12-16 07:20:45 +0000 |
| commit | b811a3806f179839235ab91554fd7c30ddb75d1c (patch) | |
| tree | 6ffc10269543127071e3d2a01cd40212590f813f /libexec/rshd/rshd.8 | |
| parent | 41b0bb1bb12a5cf89887a608007adf57417e440f (diff) | |
| download | FreeBSD-src-b811a3806f179839235ab91554fd7c30ddb75d1c.zip FreeBSD-src-b811a3806f179839235ab91554fd7c30ddb75d1c.tar.gz | |
As previously threatened, clean up the rshd -a option and make it default
on rshd and rlogind. However, note that:
1: rshd used to drop a connection with -a if the hostname != ip address.
This is unneeded, because iruserok() does it's own checking.
It was also wrong if .rhosts had an explicit IP address in it,
connections would be dropped from that host solely because the DNS was
mismatched even though it was explicitly intended to work by IP address.
2: rlogind and rshd check the hostname mappings by default now because that
is what goes into the utmp/wtmp and logs. If the hostname != ip address,
then it uses the IP address for logging/utmp/wtmp purposes. There isn't
much point logging ficticious hostnames.
3: rshd -a is now accepted (but ignored) for compatability. If you really
want to make life miserable for people with bad reverse DNS, use tcpd in
paranoid mode (which is questionable anyway, given DNS ttl tweaking).
Diffstat (limited to 'libexec/rshd/rshd.8')
| -rw-r--r-- | libexec/rshd/rshd.8 | 14 |
1 files changed, 3 insertions, 11 deletions
diff --git a/libexec/rshd/rshd.8 b/libexec/rshd/rshd.8 index 0fc7b1c..314f3fe 100644 --- a/libexec/rshd/rshd.8 +++ b/libexec/rshd/rshd.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" @(#)rshd.8 8.1 (Berkeley) 6/4/93 -.\" $Id: rshd.8,v 1.12 1998/12/01 23:27:24 dg Exp $ +.\" $Id: rshd.8,v 1.13 1998/12/03 05:45:18 bde Exp $ .\" .Dd June 4, 1993 .Dt RSHD 8 @@ -88,17 +88,9 @@ and requests the corresponding host name (see .Xr hosts 5 and .Xr named 8 ). -If the hostname cannot be determined, +If the hostname cannot be determined or the hostname and address do +not match after verification, the dot-notation representation of the host address is used. -If the hostname is in the same domain as the server (according to -the last two components of the domain name), -or if the -.Fl a -option is given, -the addresses for the hostname are requested, -verifying that the name and address correspond. -If address verification fails, the connection is aborted -with the message: ``Host address mismatch.''. .It A null terminated user name of at most 16 characters is retrieved on the initial socket. This user name |
