openssh unix dev - Mar 2002 - Block ssh logins for specific hostnames (CNAMES) all bound to same IP ???

Hi,

I'm interested in the ability to block ssh logins (or alternatively, not
have sshd answer client requests) for certain hostnames that are DNS CNAME
aliases to the canonical name for a given IP address.

To tell you the truth, I don't think this is currently possible through this
setup, and may look further to try to block it at the firewall, but that's a
different discussion... :)

Essentially, let's say I have:

public.domain.com IN CNAME myserver.domain.com
www.domain.com    IN CNAME myserver.domain.com
myserver.domain.com   IN A 1.2.3.4

I don't want (for abstraction purposes, and ability to later change internal
names) users to be able to 'ssh www.domain.com' or 'ssh
myserver.domain.com', but instead require that they 'ssh
public.domain.com'.

I've searched the mail archives without much success, other than the
following slightly orthogonal message:

  List:     openssh-unix-dev
  Subject:  Re: OpenSSH Key Storage
  From:     Carson Gaspar <carson at taltos.org>
  Date:     2002-02-01 18:18:08
  [Download message RAW]
  
  If you want to bind identity to a server, you have only 2 valid options:
  
  - Pass the server's identity in-band, and have the client use that when 
  validating keys. This avoids a layering violation.
  - Have the client validate the key against the layer 3/4 info - i.e. the 
  IP:PORT pair.
  
  Nothing else is sane. Servers on different ports are different servers, 
  that may, or may not, have the same keys. Requiring config file gymnastics 
  is bogus.
  
  Sadly, after reading the RFC, it looks like the server never sends its name 
  during the key exchange, making the first (and better) option impossible. I 
  hope I'm wrong and just mis-understood the documents.
  
  -- 
  Carson


I've also examined what I thought would do the trick:

  ListenAddress:
  
  Specifies the local addresses sshd should listen on.  The following forms
  may be used:
  
  ListenAddress host|IPv4_addr|IPv6_addr
  ListenAddress host|IPv4_addr:port
  ListenAddress [host|IPv6_addr]:port
  
  If port is not specified, sshd will listen on the address and all prior Port
  options specified. The default is to listen on all local addresses.
  Multiple ListenAddress options are permitted. Additionally, any Port options
  must precede this option for non port qualified addresses.

But it seemed to still pick up all connections to any CNAME, and probably
for the following reason:

I'm pretty sure that the ssh client contacts the server based upon the DNS
resolution of the hostname to IP address, and the sshd server only sees an
incoming client request, so I imagine that the only possibility that sshd
would know what hostname the client requested were if the client passed this
argument to the server.


Finally, I'm obviously aware that I could simply register separate IP
addresses for these hostnames, and either include multiple NIC's in the
server or simply bind multiple distinct IP addresses to the same NIC, and
then have sshd easily achieve the distinction between hostnames on IP
addresses, but I'd still first prefer to see if I could achieve my goals as
above.


Anyway, thanks so much for producing such a fine tool, and thanks also for
any suggestions.

Take care,
Daniel

-- 
Daniel A. Freedman
Laboratory for Atomic and Solid State Physics
Department of Physics
Cornell University