Currently we try to parse the system log file to figure out the ip address of the connecting client. This is of course a bit error prone. Now that we have our thinlinc-login based system, we could instead look at the SSH_CLIENT environment variable.
A major drawback with the log parsing approach is that it doesn't work with smartcard/autologin. In this case, what's ends up in the log is something like "Accepted publickey for serialNumber=197703012570,givenName=Peter Alf G\c3\b6ran,sn=\c3\85strand,cn=Peter \c3\85strand,c=SE from 1.2.3.4", but vsmserver is if course looking for the normal user name. Letting thinlinc-login submit the SSH_CLIENT environment variable is a quite nice solution, but one drawback is that we would start trusting data submitted by a user process. A malicious user could change SSH_CLIENT. Another option might be to use netstat somehow.
*** Bug 4215 has been marked as a duplicate of this bug. ***
Fedora is getting rid of log files, making this more important: https://fedoraproject.org/wiki/Changes/NoDefaultSyslog
One solution would be bug 2796.
(In reply to comment #4) > One solution would be bug 2796. Ignore that; belongs to 4925.
Still need to cleanup unused class BackwardsReader from ctccommon and the existence of /vsmserver/sshd_log_files
(In reply to comment #8) > Still need to cleanup unused class BackwardsReader from ctccommon and the > existence of /vsmserver/sshd_log_files Following needs attention regarding sshd_log_files: autotests/vsm/test_loginhandler_common.py doc/external/configuration.xml vsm/vsmserver.hconf
(In reply to comment #9) > (In reply to comment #8) > > Still need to cleanup unused class BackwardsReader from ctccommon and the > > existence of /vsmserver/sshd_log_files > > Following needs attention regarding sshd_log_files: > > autotests/vsm/test_loginhandler_common.py > doc/external/configuration.xml > vsm/vsmserver.hconf Cleanup in commit r31038
(In reply to comment #8) > Still need to cleanup unused class BackwardsReader from ctccommon and the > existence of /vsmserver/sshd_log_files BackwardsReader was removed in commit r31039.
Works nicely. Tested the native client, reconnect and reconnect from the HTML client (clears the client ip). I also tested IPv6 which also worked fine.
SSH_CLIENT is deprecated and undocumented: # rpm -ql `rpm -qa | grep -i openssh` | xargs zgrep SSH_CLIENT /usr/sbin/sshd:Binär fil (standard in) matchar From session.c: /* SSH_CLIENT deprecated */ snprintf(buf, sizeof buf, "%.50s %d %d", get_remote_ipaddr(), get_remote_port(), get_local_port()); child_set_env(&env, &envsize, "SSH_CLIENT", buf); Use SSH_CONNECTION instead.
(In reply to comment #18) > SSH_CLIENT is deprecated and undocumented: > > # rpm -ql `rpm -qa | grep -i openssh` | xargs zgrep SSH_CLIENT > /usr/sbin/sshd:Binär fil (standard in) matchar > > From session.c: > > /* SSH_CLIENT deprecated */ > snprintf(buf, sizeof buf, "%.50s %d %d", > get_remote_ipaddr(), get_remote_port(), get_local_port()); > child_set_env(&env, &envsize, "SSH_CLIENT", buf); > > Use SSH_CONNECTION instead. Found the bug that aims for deprecating SSH_CLIENT in favor of SSH_CONNECTION: https://bugzilla.mindrot.org/show_bug.cgi?id=384 This points to the reasoning behind moving away from SSH_CLIENT to SSH_CONNECTION. I looks that we should follow the lead and use SSH_CONNECTION instead of SSH_CLIETN. ps. I also found that dropbear, also uses SSH_CONNECTION
Retested and everything looks good.
