Thomas Köller
2023-Oct-22 13:29 UTC
Host name lookup failure using hostbased authentication
There is a nasty problem when using hostbased authentication: [thomas at sarkovy ~]$ journalctl -l -f | grep -Fe 'sshd[' Okt 22 15:20:54 sarkovy sshd[35034]: userauth_hostbased mismatch: client sends htpc.koeller.dyndns.org, but we resolve 192.168.0.2 to 192.168.0.2 Okt 22 15:20:54 sarkovy sshd[35034]: Connection closed by authenticating user thomas 192.168.0.2 port 36284 [preauth] ^C Note that hostname/address lookups work in either direction: [thomas at sarkovy ~]$ host htpc.koeller.dyndns.org htpc.koeller.dyndns.org has address 192.168.0.2 htpc.koeller.dyndns.org has IPv6 address fd46:1ffa:d8e0::2 [thomas at sarkovy ~]$ host 192.168.0.2 2.0.168.192.in-addr.arpa domain name pointer htpc.koeller.dyndns.org. What's wrong here? Thomas
Darren Tucker
2023-Oct-23 00:57 UTC
Host name lookup failure using hostbased authentication
On Mon, 23 Oct 2023 at 00:43, Thomas K?ller <thomas at koeller.dyndns.org> wrote:> There is a nasty problem when using hostbased authentication:Suggestions: - "host" does DNS lookups, but is your system's nsswitch.conf or equivalent actually configured to use DNS? - have you turned off DNS lookups in sshd with "UseDNS no" in sshd_config? - you could try setting "HostbasedUsesNameFromPacketOnly yes" in sshd_config. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.