openssh/openssh-6.6p1-audit8-libaudit_dns_timeouts.patch

# bnc#752354, bnc#757360
# prevent timeouts in libaudit code caused by DNS misconfiguration by
# explicitely disabling DNS lookups in libaudit when UseDNS is false.
# Note that this particular solution causes the logs to always contain
# "hostname=?, addr=?" when DNS lookups are disabled.

diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c
--- a/openssh-6.6p1/audit-linux.c
+++ b/openssh-6.6p1/audit-linux.c
@@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c
 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
 		    errno == EAFNOSUPPORT)
 			return; /* No audit support in kernel */
 		else
 			goto fatal_report; /* Must prevent login */
 	}
 	rc = audit_log_acct_message(audit_fd, event,
 	    NULL, "login", username ? username : "(unknown)",
-	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
+	    username == NULL ? uid : -1, options.use_dns ? hostname : NULL, ip, ttyn, success);
 	saved_errno = errno;
 	close(audit_fd);
 	/*
 	 * Do not report error if the error is EPERM and sshd is run as non
 	 * root user.
 	 */
 	if ((rc == -EPERM) && (geteuid() != 0))
 		rc = 0;
@@ -114,17 +114,17 @@ linux_audit_user_auth(int uid, const cha
 			goto fatal_report; /* Must prevent login */
 	}
 	
 	if ((event < 0) || (event > SSH_AUDIT_UNKNOWN))
 		event = SSH_AUDIT_UNKNOWN;
 
 	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
 	    NULL, event_name[event], username ? username : "(unknown)",
-	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
+	    username == NULL ? uid : -1, options.use_dns ? hostname : NULL, ip, ttyn, success);
 	saved_errno = errno;
 	close(audit_fd);
 	/*
 	 * Do not report error if the error is EPERM and sshd is run as non
 	 * root user.
 	 */
 	if ((rc == -EPERM) && (geteuid() != 0))
 		rc = 0;
restore factory state, so we can fix bugs. old stuff is still in the old revisions OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=98 2016-04-06 13:34:51 +02:00			`# bnc#752354, bnc#757360`
			`# prevent timeouts in libaudit code caused by DNS misconfiguration by`
			`# explicitely disabling DNS lookups in libaudit when UseDNS is false.`
			`# Note that this particular solution causes the logs to always contain`
			`# "hostname=?, addr=?" when DNS lookups are disabled.`

			`diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c`
			`--- a/openssh-6.6p1/audit-linux.c`
			`+++ b/openssh-6.6p1/audit-linux.c`
			`@@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c`
			`if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|`
			`errno == EAFNOSUPPORT)`
			`return; /* No audit support in kernel */`
			`else`
			`goto fatal_report; /* Must prevent login */`
			`}`
			`rc = audit_log_acct_message(audit_fd, event,`
			`NULL, "login", username ? username : "(unknown)",`
			`- username == NULL ? uid : -1, hostname, ip, ttyn, success);`
			`+ username == NULL ? uid : -1, options.use_dns ? hostname : NULL, ip, ttyn, success);`
			`saved_errno = errno;`
			`close(audit_fd);`
			`/*`
			`* Do not report error if the error is EPERM and sshd is run as non`
			`* root user.`
			`*/`
			`if ((rc == -EPERM) && (geteuid() != 0))`
			`rc = 0;`
			`@@ -114,17 +114,17 @@ linux_audit_user_auth(int uid, const cha`
			`goto fatal_report; /* Must prevent login */`
			`}`

			`if ((event < 0) \|\| (event > SSH_AUDIT_UNKNOWN))`
			`event = SSH_AUDIT_UNKNOWN;`

			`rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,`
			`NULL, event_name[event], username ? username : "(unknown)",`
			`- username == NULL ? uid : -1, hostname, ip, ttyn, success);`
			`+ username == NULL ? uid : -1, options.use_dns ? hostname : NULL, ip, ttyn, success);`
			`saved_errno = errno;`
			`close(audit_fd);`
			`/*`
			`* Do not report error if the error is EPERM and sshd is run as non`
			`* root user.`
			`*/`
			`if ((rc == -EPERM) && (geteuid() != 0))`
			`rc = 0;`