openssh unix dev - Sep 2003 - CVS is missing documentation for HostbasedUsesNameFromPacketOnly

I'm attaching a simple doc patch against current CVS - feel free to re-word 
it as you see fit. I also noticed that if UseDNS is no, 
HostbasedUsesNameFromPacketOnly _must_ be yes if you want 
HostbasedAuthentication to work.

-- 
Carson
-------------- next part --------------
--- sshd_config.5.DIST	2003-09-13 02:25:18.365707000 -0400+++ sshd_config.5
2003-09-13 02:46:29.430974000 -0400@@ -245,6 +245,16 @@ and applies to protocol
version 2 only. The default is .Dq no .+.It Cm
HostbasedUsesNameFromPacketOnly+Specifies whether HostbasedAuthentication fails
if the client supplied+hostname does not match the hostname derived by reverse
resolving the+client's IP address. If UseDNS is set to+.Dq no ,+the client
supplied hostname will be compared with the client's IP address,
and+authentication will probably fail, unless this is set to+.Dq yes .+The
default is+.Dq no . .It Cm HostKey Specifies a file containing a private host
key used by SSH.

HostbasedUsesNameFromPacketOnly is experimental and
not documented. i think it violates the spec.

On Sat, Sep 13, 2003 at 02:51:45AM -0400, Carson Gaspar
wrote:
> I'm attaching a simple doc patch against current CVS - feel free to
re-word
> it as you see fit. I also noticed that if UseDNS is no, 
> HostbasedUsesNameFromPacketOnly _must_ be yes if you want 
> HostbasedAuthentication to work.
than it's a bug.

--On Saturday, September 13, 2003 5:33 PM +0200 Markus Friedl 
<markus at openbsd.org> wrote:
> HostbasedUsesNameFromPacketOnly is experimental and
> not documented. i think it violates the spec.
Can you please elaborate? From my point of view, it is the _only_ sane way 
to operate, as anything else looks at useless (from a security perspective) 
IP and DNS data, as opposed to the cryptographically authenticated data 
sent by the client.

It also makes HostbasedAuthentication survive NAT, which is nice.

-- 
Carson