[sane-devel] saned hostname authentification

Henning Meier-Geinitz henning@meier-geinitz.de
Fri, 12 Oct 2001 21:48:35 +0200


Sebastien Sable pointed out problems with saned.conf hostnames on his
system some time ago. The problem is, that not fully qualified
hostnames (e.g. www instead of www.meier-geinitz.de) don't work in
saned.conf with his configuration. It's not a DNS problem, because
"ping www" works.

The question is: Is it intended behavour that only fully qualified
domain names are allowed in saned.conf? If yes, we should note this in
man saned. Otherwise, I think a change in saned.c is necessary.

Currently, saned uses getpeername and gethostbyaddr to get name(s) and
address(es) of the peer. Saned compares the name and the aliases of
the peer against the name in saned.conf. This works in my
configuration (Debian i386 Linux 2.2) also with pure hostnames. The
reason is, that gethostbyaddr returns "www" as the name and
"www.meier-geinitz.de" as alias, so access is accepted. In Sebastian's
case, gethostbyaddr only returns "www.meier-geinitz.de". I don't know
if this is allowed or even recommended by the standards. The manual
pages aren't clear about this.

A way to avoid this problem would be to use gethostbyname on the entry
in saned.conf and to compare the IP addresses. However, this means
that for every entry in saned.conf a DNS lookup is executed. I'm not
sure if this is a problem.

Any comments?