From 341ecdb33ac371d0efcfe428719fdf627ab253c2 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Mar 2016 11:44:45 +0100 Subject: [PATCH 19/26] Applied vsftpd-3.0.2-lookup.patch --- parseconf.c | 1 + sysdeputil.c | 14 +++++++++----- tunables.c | 2 ++ tunables.h | 1 + vsftpd.conf.5 | 9 +++++++++ 5 files changed, 22 insertions(+), 5 deletions(-) diff --git a/parseconf.c b/parseconf.c index 30df598..3e0dba4 100644 --- a/parseconf.c +++ b/parseconf.c @@ -91,6 +91,7 @@ parseconf_bool_array[] = { "mdtm_write", &tunable_mdtm_write }, { "lock_upload_files", &tunable_lock_upload_files }, { "pasv_addr_resolve", &tunable_pasv_addr_resolve }, + { "reverse_lookup_enable", &tunable_reverse_lookup_enable }, { "userlist_log", &tunable_userlist_log }, { "debug_ssl", &tunable_debug_ssl }, { "require_cert", &tunable_require_cert }, diff --git a/sysdeputil.c b/sysdeputil.c index 3bbabaa..2063c87 100644 --- a/sysdeputil.c +++ b/sysdeputil.c @@ -354,12 +354,16 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, return 0; } #ifdef PAM_RHOST - sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host)); - host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET); - if (host != (struct hostent*)0) - retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name); - else + if (tunable_reverse_lookup_enable) { + sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host)); + host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET); + if (host != (struct hostent*)0) + retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name); + else + retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); + } else { retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); + } if (retval != PAM_SUCCESS) { (void) pam_end(s_pamh, retval); diff --git a/tunables.c b/tunables.c index b30fca1..c737465 100644 --- a/tunables.c +++ b/tunables.c @@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl; int tunable_mdtm_write; int tunable_lock_upload_files; int tunable_pasv_addr_resolve; +int tunable_reverse_lookup_enable; int tunable_userlist_log; int tunable_debug_ssl; int tunable_require_cert; @@ -213,6 +214,7 @@ tunables_load_defaults() tunable_mdtm_write = 1; tunable_lock_upload_files = 1; tunable_pasv_addr_resolve = 0; + tunable_reverse_lookup_enable = 1; tunable_userlist_log = 0; tunable_debug_ssl = 0; tunable_require_cert = 0; diff --git a/tunables.h b/tunables.h index e44d64c..9553038 100644 --- a/tunables.h +++ b/tunables.h @@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ extern int tunable_mdtm_write; /* Allow MDTM to set timestamps */ extern int tunable_lock_upload_files; /* Lock uploading files */ extern int tunable_pasv_addr_resolve; /* DNS resolve pasv_addr */ +extern int tunable_reverse_lookup_enable; /* Get hostname before pam auth */ extern int tunable_userlist_log; /* Log every failed login attempt */ extern int tunable_debug_ssl; /* Verbose SSL logging */ extern int tunable_require_cert; /* SSL client cert required */ diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 index 72bb86f..fb6324e 100644 --- a/vsftpd.conf.5 +++ b/vsftpd.conf.5 @@ -425,6 +425,15 @@ http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html Default: YES .TP +.B reverse_lookup_enable +Set to YES if you want vsftpd to transform the ip address into the hostname, +before pam authentication. This is useful if you use pam_access including the +hostname. If you want vsftpd to run on the environment where the reverse lookup +for some hostname is available and the name server doesn't respond for a while, +you should set this to NO to avoid a performance issue. + +Default: YES +.TP .B run_as_launching_user Set to YES if you want vsftpd to run as the user which launched vsftpd. This is useful where root access is not available. MASSIVE WARNING! Do NOT enable this -- 2.5.0