William H. Magill on Mon, 7 Feb 2000 12:31:39 -0500 (EST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Info on SSH?


>   I have had trouble with ssh2 and the RequireReverseMapping option in
>   the sshd2_config file -- when connecting from hosts for which the server
>   can't perform a reverse dns query to find the hostname, it will fail.  To

Please note that this is NOT a failure. This is a security feature.
This option is doing exactly what it is intended to do.

A much better choice of words would be:
>   When connecting from hosts for which the server can't perform a reverse
>   dns query to find the hostname, access will be denied.

A host with no reverse name lookup is considerd a "spurious" host, and is
NOT to be trusted.

Any IP address with no reverse DNS lookup is technically non-conforming.

However, One problem which is seen more and more today with DSL
connections, is the fact that the "host name" as returned by the reverse
DNS lookup is too long to be utilized by the host and gets truncated,
or cannot be used at all. (Which is yet another non-conforming issue.)
The end result being that the host name supplied and the reverse dns name
don't match and therefore the host is considered to be "spoofed," and
access again will be denied.

Another place where this happens is attempting to connect from conferences.
The vendor supplying the network connectivity does not provide either
forward or reverse lookups to any externally visible name servers (ie off
site, or off corporate net.) The connections are viewed as "internal use
only" and so this is a perectly reasonable action. But for the conference,
that range of addresses is allowed access through the corporate firewall,
but their existance is not advertised.

>   solve this problem, you'd either have to connect from a host who's ip will
>   reverse resolve to a dns name, or set RequireReverseMapping to 'no' on the
>   host you're trying to connect to.
>

-- 
                ===<Tru64 UNIX-SIG Chair>===
                     www.tru64unix.org
T.T.F.N.
William H. Magill                          Senior Systems Administrator
Information Services and Computing (ISC)   University of Pennsylvania
Internet: magill@isc.upenn.edu             magill@acm.org
                                           http://pobox.upenn.edu/~magill/

______________________________________________________________________
Philadelphia Linux Users Group       -       http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion   -   http://lists.nothinbut.net/mail/listinfo/plug