From 721de88621100f6ed33f1602415bc249f3ed3219 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Nov 2016 10:22:32 +0100
Subject: [PATCH 19/33] Introduce reverse_lookup_enable option.
vsftpd can transform IP address into hostname before
PAM authentication. You can disable it to prevent
performance issues.
---
parseconf.c | 1 +
sysdeputil.c | 14 +++++++++-----
tunables.c | 2 ++
tunables.h | 1 +
vsftpd.conf.5 | 9 +++++++++
5 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/parseconf.c b/parseconf.c
index 30df598..3e0dba4 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -91,6 +91,7 @@ parseconf_bool_array[] =
{ "mdtm_write", &tunable_mdtm_write },
{ "lock_upload_files", &tunable_lock_upload_files },
{ "pasv_addr_resolve", &tunable_pasv_addr_resolve },
+ { "reverse_lookup_enable", &tunable_reverse_lookup_enable },
{ "userlist_log", &tunable_userlist_log },
{ "debug_ssl", &tunable_debug_ssl },
{ "require_cert", &tunable_require_cert },
diff --git a/sysdeputil.c b/sysdeputil.c
index 3bbabaa..2063c87 100644
--- a/sysdeputil.c
+++ b/sysdeputil.c
@@ -354,12 +354,16 @@ vsf_sysdep_check_auth(struct mystr* p_user_str,
return 0;
}
#ifdef PAM_RHOST
- sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host));
- host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET);
- if (host != (struct hostent*)0)
- retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name);
- else
+ if (tunable_reverse_lookup_enable) {
+ sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host));
+ host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET);
+ if (host != (struct hostent*)0)
+ retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name);
+ else
+ retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host));
+ } else {
retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host));
+ }
if (retval != PAM_SUCCESS)
{
(void) pam_end(s_pamh, retval);
diff --git a/tunables.c b/tunables.c
index b30fca1..c737465 100644
--- a/tunables.c
+++ b/tunables.c
@@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl;
int tunable_mdtm_write;
int tunable_lock_upload_files;
int tunable_pasv_addr_resolve;
+int tunable_reverse_lookup_enable;
int tunable_userlist_log;
int tunable_debug_ssl;
int tunable_require_cert;
@@ -213,6 +214,7 @@ tunables_load_defaults()
tunable_mdtm_write = 1;
tunable_lock_upload_files = 1;
tunable_pasv_addr_resolve = 0;
+ tunable_reverse_lookup_enable = 1;
tunable_userlist_log = 0;
tunable_debug_ssl = 0;
tunable_require_cert = 0;
diff --git a/tunables.h b/tunables.h
index e44d64c..9553038 100644
--- a/tunables.h
+++ b/tunables.h
@@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
extern int tunable_mdtm_write; /* Allow MDTM to set timestamps */
extern int tunable_lock_upload_files; /* Lock uploading files */
extern int tunable_pasv_addr_resolve; /* DNS resolve pasv_addr */
+extern int tunable_reverse_lookup_enable; /* Get hostname before pam auth */
extern int tunable_userlist_log; /* Log every failed login attempt */
extern int tunable_debug_ssl; /* Verbose SSL logging */
extern int tunable_require_cert; /* SSL client cert required */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 72bb86f..fb6324e 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -425,6 +425,15 @@ http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
Default: YES
.TP
+.B reverse_lookup_enable
+Set to YES if you want vsftpd to transform the ip address into the hostname,
+before pam authentication. This is useful if you use pam_access including the
+hostname. If you want vsftpd to run on the environment where the reverse lookup
+for some hostname is available and the name server doesn't respond for a while,
+you should set this to NO to avoid a performance issue.
+
+Default: YES
+.TP
.B run_as_launching_user
Set to YES if you want vsftpd to run as the user which launched vsftpd. This is
useful where root access is not available. MASSIVE WARNING! Do NOT enable this
--
2.7.4