bugzilla-daemon at mindrot.org
2003-Sep-26 21:34 UTC
[Bug 720] "UseDNS no" breaks public key login
http://bugzilla.mindrot.org/show_bug.cgi?id=720
Summary: "UseDNS no" breaks public key login
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: wsanders1 at yahoo.com
Setting "UseDNS no" as a temporary workaround for a host that does not
have PTR
record breaks public key login for all hosts, even if they have valid, matching
A and PTR records. A message is logged to syslog: "sshd[1235]:
Authentication
tried for <user> with correct key but not from a permitted host
(host=XXX.XXX.XXX.XXX, ip=XXX.XXX.XXX.XXX)." Host at IP XXX.XXX.XXX.XXX is
a
host that is previously able to login when UseDNS is set to "yes".
If this is not the intent of the UseDNS option
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-26 23:40 UTC
[Bug 720] "UseDNS no" breaks public key login
http://bugzilla.mindrot.org/show_bug.cgi?id=720 ------- Additional Comments From djm at mindrot.org 2003-09-27 09:40 ------- are you talking about HostBased authentication, or user PublicKeyAuthentication? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-29 21:24 UTC
[Bug 720] "UseDNS no" breaks public key login
http://bugzilla.mindrot.org/show_bug.cgi?id=720
wsanders1 at yahoo.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From wsanders1 at yahoo.com 2003-09-30 07:24
-------
Ahhh, this was a usage error. You can close this bug. "UseDNS no"
stops all DNS
references from occurring - I had expected it to only disable the restriction
that the host's IP be findable in a PTR DNS record. What was actually
happening
is that from="<FQDN>" was in my authorized_keys file, and then
"UseDNS no"
prevented sshd from looking up the IP of foo. SO sshd would complain "Your
host
'11.22.33.44' is not permitted to use this key for login." when it
also meant
"key found in the authorized_keys file for <GQDN> but not for
11.22.33.44".
The correct use of "UseDNS no" is to identify the key with 'from
="11.22.33.44"'
(the double quotes are required) rather than 'from="<FQDN>".
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.