Re: [PLUG] Info on SSH?

William H. Magill on Mon, 7 Feb 2000 12:31:39 -0500 (EST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Info on SSH?

From: "William H. Magill" <magill@isc.upenn.edu>

To: plug@lists.nothinbut.net

Subject: Re: [PLUG] Info on SSH?

Date: Mon, 7 Feb 2000 12:31:27 -0500 (EST)

Reply-to: plug@lists.nothinbut.net

Sender: plug-admin@lists.nothinbut.net

> I have had trouble with ssh2 and the RequireReverseMapping option in > the sshd2_config file -- when connecting from hosts for which the server > can't perform a reverse dns query to find the hostname, it will fail. To Please note that this is NOT a failure. This is a security feature. This option is doing exactly what it is intended to do. A much better choice of words would be: > When connecting from hosts for which the server can't perform a reverse > dns query to find the hostname, access will be denied. A host with no reverse name lookup is considerd a "spurious" host, and is NOT to be trusted. Any IP address with no reverse DNS lookup is technically non-conforming. However, One problem which is seen more and more today with DSL connections, is the fact that the "host name" as returned by the reverse DNS lookup is too long to be utilized by the host and gets truncated, or cannot be used at all. (Which is yet another non-conforming issue.) The end result being that the host name supplied and the reverse dns name don't match and therefore the host is considered to be "spoofed," and access again will be denied. Another place where this happens is attempting to connect from conferences. The vendor supplying the network connectivity does not provide either forward or reverse lookups to any externally visible name servers (ie off site, or off corporate net.) The connections are viewed as "internal use only" and so this is a perectly reasonable action. But for the conference, that range of addresses is allowed access through the corporate firewall, but their existance is not advertised. > solve this problem, you'd either have to connect from a host who's ip will > reverse resolve to a dns name, or set RequireReverseMapping to 'no' on the > host you're trying to connect to. > -- ===<Tru64 UNIX-SIG Chair>=== www.tru64unix.org T.T.F.N. William H. Magill Senior Systems Administrator Information Services and Computing (ISC) University of Pennsylvania Internet: magill@isc.upenn.edu magill@acm.org http://pobox.upenn.edu/~magill/ ______________________________________________________________________ Philadelphia Linux Users Group - http://plug.nothinbut.net Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce General Discussion - http://lists.nothinbut.net/mail/listinfo/plug

References:

Re: [PLUG] Info on SSH?
From: Kyle Burton <mortis@voicenet.com>

Prev by Date: Re: [PLUG] Linux MP3 players suck!

Next by Date: [PLUG] looking for unix/NT sysadmin

Previous by thread: Re: [PLUG] Info on SSH?

Next by thread: [PLUG] Modem Followup Question

Index(es):

Date

Thread