Carson Gaspar
2003-Sep-13 06:51 UTC
CVS is missing documentation for HostbasedUsesNameFromPacketOnly
I'm attaching a simple doc patch against current CVS - feel free to re-word it as you see fit. I also noticed that if UseDNS is no, HostbasedUsesNameFromPacketOnly _must_ be yes if you want HostbasedAuthentication to work. -- Carson -------------- next part -------------- --- sshd_config.5.DIST 2003-09-13 02:25:18.365707000 -0400+++ sshd_config.5 2003-09-13 02:46:29.430974000 -0400@@ -245,6 +245,16 @@ and applies to protocol version 2 only. The default is .Dq no .+.It Cm HostbasedUsesNameFromPacketOnly+Specifies whether HostbasedAuthentication fails if the client supplied+hostname does not match the hostname derived by reverse resolving the+client's IP address. If UseDNS is set to+.Dq no ,+the client supplied hostname will be compared with the client's IP address, and+authentication will probably fail, unless this is set to+.Dq yes .+The default is+.Dq no . .It Cm HostKey Specifies a file containing a private host key used by SSH.
Markus Friedl
2003-Sep-13 15:33 UTC
CVS is missing documentation for HostbasedUsesNameFromPacketOnly
HostbasedUsesNameFromPacketOnly is experimental and not documented. i think it violates the spec. On Sat, Sep 13, 2003 at 02:51:45AM -0400, Carson Gaspar wrote:> I'm attaching a simple doc patch against current CVS - feel free to re-word > it as you see fit. I also noticed that if UseDNS is no, > HostbasedUsesNameFromPacketOnly _must_ be yes if you want > HostbasedAuthentication to work.than it's a bug.
Carson Gaspar
2003-Sep-14 17:59 UTC
CVS is missing documentation for HostbasedUsesNameFromPacketOnly
--On Saturday, September 13, 2003 5:33 PM +0200 Markus Friedl <markus at openbsd.org> wrote:> HostbasedUsesNameFromPacketOnly is experimental and > not documented. i think it violates the spec.Can you please elaborate? From my point of view, it is the _only_ sane way to operate, as anything else looks at useless (from a security perspective) IP and DNS data, as opposed to the cryptographically authenticated data sent by the client. It also makes HostbasedAuthentication survive NAT, which is nice. -- Carson
Apparently Analagous Threads
- Configuration for root logins
- Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- [PATCH] Strip trailing . when using HostbasedUsesNameFromPacketOnly
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?