search for: hostbasedusesnamefrompacketonly

If HostbasedUsesNameFromPacketOnly is set to yes, sshd does not remove the trailing dot from the client supplied hostname, causing sshd to attempt to look up "foo.example.com." (note trailing period) in known_hosts and .shosts instead of "foo.example.com" Trivial patch attached. -- Carson -------------- nex...

I'm attaching a simple doc patch against current CVS - feel free to re-word it as you see fit. I also noticed that if UseDNS is no, HostbasedUsesNameFromPacketOnly _must_ be yes if you want HostbasedAuthentication to work. -- Carson -------------- next part -------------- --- sshd_config.5.DIST 2003-09-13 02:25:18.365707000 -0400+++ sshd_config.5 2003-09-13 02:46:29.430974000 -0400@@ -245,6 +245,16 @@ and applies to protocol version 2 only. The default is...

The following simple patch (against openssh-3.1) moves the test for a trailing dot in the client-supplied hostname so that it is also stripped when using the server option HostbasedUsesNameFromPacketOnly. Please CC me on any replies, as I'm not subscribed to the list. Cheers, Bill Rugolsky --- ssh/auth2.c~ Sun Feb 24 14:14:59 2002 +++ ssh/auth2.c Wed May 8 16:26:26 2002 @@ -709,15 +709,15 @@ debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", chost, resolv...

https://bugzilla.mindrot.org/show_bug.cgi?id=1782 Summary: Match support for HostbasedUsesNameFromPacketOnly Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: imorgan at...

http://bugzilla.mindrot.org/show_bug.cgi?id=1200 ------- Comment #2 from res at qoxp.net 2006-10-05 09:01 ------- *** Bug 1248 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

openssh-3.0p1 still contains the bug which I already reported on Sept. 28 2001 for 2.9p2, namely, the trailing dot in chost should be stripped before calling auth_rhosts2() even with option "HostbasedUsesNameFromPacketOnly yes". Otherwise, the host names in /etc/hosts.equiv and .rhosts would have to be dot-terminated. Fix: Move lines 776-779 of auth2.c upwards to after line 767. (These line numbers also hold for 2.9.9p2.) *** auth2.c.ORI Wed Oct 3 19:12:44 2001 --- auth2.c Fri Nov 9 10:15:42 2001 ************...

Even with option "HostbasedUsesNameFromPacketOnly yes", the trailing dot in chost should be stripped before auth_rhosts2() is called from hostbased_key_allowed(). Hans Werner Strube strube at physik3.gwdg.de Drittes Physikalisches Institut, Univ. Goettingen Buergerstr. 42-44, D-37073 Goettingen, Germany Suggested change: **...

http://bugzilla.mindrot.org/show_bug.cgi?id=616 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org, | |simon at sxw.org.uk --- Comment #2 from

...problem when using hostbased authentication: Suggestions: - "host" does DNS lookups, but is your system's nsswitch.conf or equivalent actually configured to use DNS? - have you turned off DNS lookups in sshd with "UseDNS no" in sshd_config? - you could try setting "HostbasedUsesNameFromPacketOnly yes" in sshd_config. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.

In auth2-hostbased.c, line #146 if (auth_rhosts2(pw, cuser, chost, chost) == 0) ^^^^^ shouldn't this be if (auth_rhosts2(pw, cuser, chost, ipaddr) == 0) ^^^^^^ The code was found in 4.2. Best regards, Choung S.Park

...uthentications hostbased,publickey HostbasedAuthentication yes PubkeyAuthentication yes PasswordAuthentication no ... server sshd_config ... AuthenticationMethods hostbased,publickey HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes PubkeyAuthentication yes PasswordAuthentication no ... on the server, because I'm not entirely sure where to put it yet echo "client.DOMAIN.COM" > /etc/shosts.equiv echo "client.DOMAIN.COM" > /usr/local/etc/shosts.equiv when...

...sign yes (note: this had already been 'in there' --- just further down in the config) ... server sshd_config ... - AuthenticationMethods hostbased,publickey + AuthenticationMethods hostbased HostbasedAuthentication yes - HostbasedUsesNameFromPacketOnly yes + #HostbasedUsesNameFromPacketOnly yes - PubkeyAuthentication yes + PubkeyAuthentication no PasswordAuthentication no ... I already have the server's key in the known hosts file on the client. @ client cat ssh_config ... GlobalKno...

Hello Damien, Brian and all, thanks for the suggestions. I actually had not considered host-based authentication and looked it up. As I understand from my first quick reading, I would need to specify the clients which are allowed to use host-based auth on the server with a DNS name or an IP, which would not work for a client behind a CG NAT or in a cellular network. Or did I get this wrong?

There is a nasty problem when using hostbased authentication: [thomas at sarkovy ~]$ journalctl -l -f | grep -Fe 'sshd[' Okt 22 15:20:54 sarkovy sshd[35034]: userauth_hostbased mismatch: client sends htpc.koeller.dyndns.org, but we resolve 192.168.0.2 to 192.168.0.2 Okt 22 15:20:54 sarkovy sshd[35034]: Connection closed by authenticating user thomas 192.168.0.2 port 36284 [preauth] ^C

http://bugzilla.mindrot.org/show_bug.cgi?id=1180 Summary: Add finer-grained controls to sshd Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: dtucker at

When using "HostbasedUsesNameFromPacketOnly yes", the ssh client sends the hostname with a trailing dot, but the server does not strip off the trailing dot when matching against .shosts et. al., or when looking up keys in ssh_known_hosts2. This causes the host to not be found. Adding the hostname with trailing dot to the config file...

...If charles had a dynamic IP address, or was behind dynamic NAT or a non-transparent firewall, you lost. If someone could spoof charles' IP address, you lost. Now, you can solve this securely (assuming charles' host security is good!). on steve: sshd_config: HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes PasswordAuthentication yes # if you don't want users to add clients, you either need to stop parsing .[rs]hosts IgnoreRhosts yes # or control which hosts have trusted keys with IgnoreUserKnownHosts yes # or both AuthOrder2 hostbased:password ssh_known_hosts2: charles.dom.ain.,charles.dom...

...2014 05:17:11 -0000 1.173 +++ sshd_config.5 6 Jun 2014 08:04:06 -0000 @@ -896,6 +896,7 @@ Available keywords are .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , +.Cm Ciphers , .Cm DenyGroups , .Cm DenyUsers , .Cm ForceCommand , @@ -905,6 +906,8 @@ Available keywords are .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , +.Cm KexAlgorithms , +.Cm MACs , .Cm MaxAuthTries , .Cm MaxSessions , .Cm PasswordAuthentication , Regards, Armin Wolfermann

For systems where the local hostname is obtained as a short name without domain, there should be a ssh_config option "DefaultDomain" as in ssh-3.x from ssh.com. For the server, there might be a corresponding option in order to strip the domain name from the remote client name (if it matches the server's DefaultDomain) for use in auth_rhost2, since netgroups usually contain short

...ontinues to apply. These options are useful for role accounts, disjoint account namespaces and "user at realm"-style naming policies in certificates. * Additional sshd_config(5) options are now valid inside Match blocks: AuthorizedKeysFile AuthorizedPrincipalsFile HostbasedUsesNameFromPacketOnly PermitTunnel * Revised the format of certificate keys. The new format, identified as ssh-{dss,rsa}-cert-v01 at openssh.com includes the following changes: - Adding a serial number field. This may be specified by the CA at the time of certificate signing. - Moving t...