www.cendio.com
Bug 2796 - get client ip from environment instead of log
: get client ip from environment instead of log
Status: CLOSED FIXED
: ThinLinc
VSM Server
: pre-1.0
: PC All
: P2 Enhancement
: 4.6.0
Assigned To:
:
:
: 4749
:
  Show dependency treegraph
 
Reported: 2008-05-22 16:05 by
Modified: 2016-12-05 12:05 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2008-05-22 16:05:18
Currently we try to parse the system log file to figure out the ip address of
the connecting client. This is of course a bit error prone. Now that we have
our thinlinc-login based system, we could instead look at the SSH_CLIENT
environment variable.
------- Comment #1 From cendio 2010-08-26 10:46:54 -------
A major drawback with the log parsing approach is that it doesn't work with
smartcard/autologin. In this case, what's ends up in the log is something like
"Accepted publickey for serialNumber=197703012570,givenName=Peter Alf
G\c3\b6ran,sn=\c3\85strand,cn=Peter \c3\85strand,c=SE from 1.2.3.4", but
vsmserver is if course looking for the normal user name. 

Letting thinlinc-login submit the SSH_CLIENT environment variable is a quite
nice solution, but one drawback is that we would start trusting data submitted
by a user process. A malicious user could change SSH_CLIENT. 

Another option might be to use netstat somehow. 
------- Comment #2 From cendio 2012-02-16 14:09:13 -------
*** Bug 4215 has been marked as a duplicate of this bug. ***
------- Comment #3 From cendio 2013-08-19 11:01:20 -------
Fedora is getting rid of log files, making this more important:

https://fedoraproject.org/wiki/Changes/NoDefaultSyslog
------- Comment #4 From cendio 2013-12-03 21:00:38 -------
One solution would be bug 2796.
------- Comment #5 From cendio 2013-12-03 21:01:06 -------
(In reply to comment #4)
> One solution would be bug 2796.

Ignore that; belongs to 4925.
------- Comment #8 From cendio 2015-12-17 12:20:03 -------
Still need to cleanup unused class BackwardsReader from ctccommon and the
existence of /vsmserver/sshd_log_files
------- Comment #9 From cendio 2015-12-17 12:23:18 -------
(In reply to comment #8)
> Still need to cleanup unused class BackwardsReader from ctccommon and the
> existence of /vsmserver/sshd_log_files

Following needs attention regarding sshd_log_files:

  autotests/vsm/test_loginhandler_common.py
  doc/external/configuration.xml
  vsm/vsmserver.hconf
------- Comment #12 From cendio 2015-12-17 14:50:10 -------
(In reply to comment #9)
> (In reply to comment #8)
> > Still need to cleanup unused class BackwardsReader from ctccommon and the
> > existence of /vsmserver/sshd_log_files
> 
> Following needs attention regarding sshd_log_files:
> 
>   autotests/vsm/test_loginhandler_common.py
>   doc/external/configuration.xml
>   vsm/vsmserver.hconf

Cleanup in commit r31038
------- Comment #14 From cendio 2015-12-17 14:54:00 -------
(In reply to comment #8)
> Still need to cleanup unused class BackwardsReader from ctccommon and the
> existence of /vsmserver/sshd_log_files

BackwardsReader was removed in commit r31039.
------- Comment #17 From cendio 2015-12-18 13:24:17 -------
Works nicely. Tested the native client, reconnect and reconnect from the HTML
client (clears the client ip). I also tested IPv6 which also worked fine.
------- Comment #18 From cendio 2015-12-21 09:25:06 -------
SSH_CLIENT is deprecated and undocumented:

# rpm -ql `rpm -qa | grep -i openssh` | xargs zgrep SSH_CLIENT
/usr/sbin/sshd:Binär fil (standard in) matchar

From session.c:

    /* SSH_CLIENT deprecated */
    snprintf(buf, sizeof buf, "%.50s %d %d",
        get_remote_ipaddr(), get_remote_port(), get_local_port());
    child_set_env(&env, &envsize, "SSH_CLIENT", buf);

Use SSH_CONNECTION instead.
------- Comment #19 From cendio 2015-12-21 11:07:43 -------
(In reply to comment #18)
> SSH_CLIENT is deprecated and undocumented:
> 
> # rpm -ql `rpm -qa | grep -i openssh` | xargs zgrep SSH_CLIENT
> /usr/sbin/sshd:Binär fil (standard in) matchar
> 
> From session.c:
> 
>     /* SSH_CLIENT deprecated */
>     snprintf(buf, sizeof buf, "%.50s %d %d",
>         get_remote_ipaddr(), get_remote_port(), get_local_port());
>     child_set_env(&env, &envsize, "SSH_CLIENT", buf);
> 
> Use SSH_CONNECTION instead.

Found the bug that aims for deprecating SSH_CLIENT in favor of SSH_CONNECTION:

https://bugzilla.mindrot.org/show_bug.cgi?id=384

This points to the reasoning behind moving away from SSH_CLIENT to
SSH_CONNECTION.

I looks that we should follow the lead and use SSH_CONNECTION instead of
SSH_CLIETN.

ps. I also found that dropbear, also uses SSH_CONNECTION
------- Comment #21 From cendio 2015-12-23 12:53:03 -------
Retested and everything looks good.