Displaying 20 results from an estimated 33 matches for "hostbasedusesnamefrompacketonly".
2003 Sep 13
3
Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes
If HostbasedUsesNameFromPacketOnly is set to yes, sshd does not remove
the trailing dot from the client supplied hostname, causing sshd to
attempt to look up "foo.example.com." (note trailing period) in
known_hosts and .shosts instead of "foo.example.com"
Trivial patch attached.
--
Carson
-------------- nex...
2003 Sep 13
2
CVS is missing documentation for HostbasedUsesNameFromPacketOnly
I'm attaching a simple doc patch against current CVS - feel free to re-word
it as you see fit. I also noticed that if UseDNS is no,
HostbasedUsesNameFromPacketOnly _must_ be yes if you want
HostbasedAuthentication to work.
--
Carson
-------------- next part --------------
--- sshd_config.5.DIST 2003-09-13 02:25:18.365707000 -0400+++ sshd_config.5 2003-09-13 02:46:29.430974000 -0400@@ -245,6 +245,16 @@ and applies to protocol version 2 only. The default is...
2002 May 08
1
[PATCH] Strip trailing . when using HostbasedUsesNameFromPacketOnly
The following simple patch (against openssh-3.1) moves the test for a
trailing dot in the client-supplied hostname so that it is also stripped
when using the server option HostbasedUsesNameFromPacketOnly.
Please CC me on any replies, as I'm not subscribed to the list.
Cheers,
Bill Rugolsky
--- ssh/auth2.c~ Sun Feb 24 14:14:59 2002
+++ ssh/auth2.c Wed May 8 16:26:26 2002
@@ -709,15 +709,15 @@
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
chost, resolv...
2010 Jun 15
3
[Bug 1782] New: Match support for HostbasedUsesNameFromPacketOnly
https://bugzilla.mindrot.org/show_bug.cgi?id=1782
Summary: Match support for HostbasedUsesNameFromPacketOnly
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: imorgan at...
2006 Oct 04
0
[Bug 1200] sshd does not strip trailing dot from client hostname with HostbasedUsesNameFromPacketOnly
http://bugzilla.mindrot.org/show_bug.cgi?id=1200
------- Comment #2 from res at qoxp.net 2006-10-05 09:01 -------
*** Bug 1248 has been marked as a duplicate of this bug. ***
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2001 Nov 09
2
openssh-3.0p1, auth2.c
openssh-3.0p1 still contains the bug which I already reported on Sept. 28 2001
for 2.9p2, namely, the trailing dot in chost should be stripped before calling
auth_rhosts2() even with option "HostbasedUsesNameFromPacketOnly yes".
Otherwise, the host names in /etc/hosts.equiv and .rhosts would have to be
dot-terminated. Fix: Move lines 776-779 of auth2.c upwards to after line 767.
(These line numbers also hold for 2.9.9p2.)
*** auth2.c.ORI Wed Oct 3 19:12:44 2001
--- auth2.c Fri Nov 9 10:15:42 2001
************...
2001 Sep 28
2
openssh-2.9p2, auth2.c
Even with option "HostbasedUsesNameFromPacketOnly yes", the trailing
dot in chost should be stripped before auth_rhosts2() is called from
hostbased_key_allowed().
Hans Werner Strube strube at physik3.gwdg.de
Drittes Physikalisches Institut, Univ. Goettingen
Buergerstr. 42-44, D-37073 Goettingen, Germany
Suggested change:
**...
2007 May 17
7
[Bug 616] proxycommand breaks hostbased authentication.
http://bugzilla.mindrot.org/show_bug.cgi?id=616
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org,
| |simon at sxw.org.uk
--- Comment #2 from
2023 Oct 23
1
Host name lookup failure using hostbased authentication
...problem when using hostbased authentication:
Suggestions:
- "host" does DNS lookups, but is your system's nsswitch.conf or
equivalent actually configured to use DNS?
- have you turned off DNS lookups in sshd with "UseDNS no" in sshd_config?
- you could try setting "HostbasedUsesNameFromPacketOnly yes" in sshd_config.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
2005 Oct 06
1
Possible security problem in hostbased user authentication?
In auth2-hostbased.c, line #146
if (auth_rhosts2(pw, cuser, chost, chost) == 0)
^^^^^
shouldn't this be
if (auth_rhosts2(pw, cuser, chost, ipaddr) == 0)
^^^^^^
The code was found in 4.2.
Best regards,
Choung S.Park
2015 Jan 09
5
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
...uthentications hostbased,publickey
HostbasedAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
...
server sshd_config
...
AuthenticationMethods hostbased,publickey
HostbasedAuthentication yes
HostbasedUsesNameFromPacketOnly yes
PubkeyAuthentication yes
PasswordAuthentication no
...
on the server, because I'm not entirely sure where to put it yet
echo "client.DOMAIN.COM" > /etc/shosts.equiv
echo "client.DOMAIN.COM" > /usr/local/etc/shosts.equiv
when...
2015 Jan 09
5
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
...sign yes (note: this had already been 'in there' --- just further down in the config)
...
server sshd_config
...
- AuthenticationMethods hostbased,publickey
+ AuthenticationMethods hostbased
HostbasedAuthentication yes
- HostbasedUsesNameFromPacketOnly yes
+ #HostbasedUsesNameFromPacketOnly yes
- PubkeyAuthentication yes
+ PubkeyAuthentication no
PasswordAuthentication no
...
I already have the server's key in the known hosts file on the client.
@ client
cat ssh_config
...
GlobalKno...
2020 Oct 23
3
"Semi-Trusted" SSH-Keys that also require PAM login
Hello Damien, Brian and all,
thanks for the suggestions. I actually had not considered host-based
authentication and looked it up.
As I understand from my first quick reading, I would need to specify the
clients which are allowed to use host-based auth on the server with a
DNS name or an IP, which would not work for a client behind a CG NAT or
in a cellular network.
Or did I get this wrong?
2023 Oct 22
1
Host name lookup failure using hostbased authentication
There is a nasty problem when using hostbased authentication:
[thomas at sarkovy ~]$ journalctl -l -f | grep -Fe 'sshd['
Okt 22 15:20:54 sarkovy sshd[35034]: userauth_hostbased mismatch: client
sends htpc.koeller.dyndns.org, but we resolve 192.168.0.2 to 192.168.0.2
Okt 22 15:20:54 sarkovy sshd[35034]: Connection closed by authenticating
user thomas 192.168.0.2 port 36284 [preauth]
^C
2006 Apr 08
1
[Bug 1180] Add finer-grained controls to sshd
http://bugzilla.mindrot.org/show_bug.cgi?id=1180
Summary: Add finer-grained controls to sshd
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: dtucker at
2001 Apr 25
0
Minor bug in HostbasedAuthentication
When using "HostbasedUsesNameFromPacketOnly yes", the ssh client sends the
hostname with a trailing dot, but the server does not strip off the
trailing dot when matching against .shosts et. al., or when looking up keys
in ssh_known_hosts2. This causes the host to not be found. Adding the
hostname with trailing dot to the config file...
2001 Apr 25
0
Case study of new possibilities with PartialAuth and HostbasedAuth
...If charles had a dynamic IP address, or was behind dynamic NAT or
a non-transparent firewall, you lost. If someone could spoof charles' IP
address, you lost. Now, you can solve this securely (assuming charles' host
security is good!).
on steve:
sshd_config:
HostbasedAuthentication yes
HostbasedUsesNameFromPacketOnly yes
PasswordAuthentication yes
# if you don't want users to add clients, you either need to stop parsing
.[rs]hosts
IgnoreRhosts yes
# or control which hosts have trusted keys with
IgnoreUserKnownHosts yes
# or both
AuthOrder2 hostbased:password
ssh_known_hosts2:
charles.dom.ain.,charles.dom...
2014 Jun 06
1
Patch: Ciphers, MACs and KexAlgorithms on Match
...2014 05:17:11 -0000 1.173
+++ sshd_config.5 6 Jun 2014 08:04:06 -0000
@@ -896,6 +896,7 @@ Available keywords are
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
+.Cm Ciphers ,
.Cm DenyGroups ,
.Cm DenyUsers ,
.Cm ForceCommand ,
@@ -905,6 +906,8 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+.Cm KexAlgorithms ,
+.Cm MACs ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
Regards,
Armin Wolfermann
2001 Sep 28
3
openssh-2.9p2, short hostnames
For systems where the local hostname is obtained as a short name without
domain, there should be a ssh_config option "DefaultDomain" as in ssh-3.x
from ssh.com.
For the server, there might be a corresponding option in order to strip
the domain name from the remote client name (if it matches the server's
DefaultDomain) for use in auth_rhost2, since netgroups usually contain
short
2010 Aug 23
0
Announce: OpenSSH 5.6 released
...ontinues to apply. These options
are useful for role accounts, disjoint account namespaces and
"user at realm"-style naming policies in certificates.
* Additional sshd_config(5) options are now valid inside Match blocks:
AuthorizedKeysFile
AuthorizedPrincipalsFile
HostbasedUsesNameFromPacketOnly
PermitTunnel
* Revised the format of certificate keys. The new format, identified as
ssh-{dss,rsa}-cert-v01 at openssh.com includes the following changes:
- Adding a serial number field. This may be specified by the CA at
the time of certificate signing.
- Moving t...