Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
Host name lookup failure using hostbased authentication
thomas at koeller
Oct 22, 2023, 6:29 AM
Post #1 of 3 (107 views)
Permalink
There is a nasty problem when using hostbased authentication:

[thomas@sarkovy ~]$ journalctl -l -f | grep -Fe 'sshd['
Okt 22 15:20:54 sarkovy sshd[35034]: userauth_hostbased mismatch: client
sends htpc.koeller.dyndns.org, but we resolve 192.168.0.2 to 192.168.0.2
Okt 22 15:20:54 sarkovy sshd[35034]: Connection closed by authenticating
user thomas 192.168.0.2 port 36284 [preauth]
^C

Note that hostname/address lookups work in either direction:

[thomas@sarkovy ~]$ host htpc.koeller.dyndns.org
htpc.koeller.dyndns.org has address 192.168.0.2
htpc.koeller.dyndns.org has IPv6 address fd46:1ffa:d8e0::2
[thomas@sarkovy ~]$ host 192.168.0.2
2.0.168.192.in-addr.arpa domain name pointer htpc.koeller.dyndns.org.

What's wrong here?

Thomas
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Host name lookup failure using hostbased authentication [ In reply to ]
dtucker at dtucker
Oct 22, 2023, 5:57 PM
Post #2 of 3 (107 views)
Permalink
On Mon, 23 Oct 2023 at 00:43, Thomas Köller <thomas@koeller.dyndns.org> wrote:
> There is a nasty problem when using hostbased authentication:

Suggestions:
- "host" does DNS lookups, but is your system's nsswitch.conf or
equivalent actually configured to use DNS?
- have you turned off DNS lookups in sshd with "UseDNS no" in sshd_config?
- you could try setting "HostbasedUsesNameFromPacketOnly yes" in sshd_config.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Host name lookup failure using hostbased authentication [ In reply to ]
thomas at koeller
Oct 23, 2023, 4:27 AM
Post #3 of 3 (104 views)
Permalink
Am 23.10.23 um 02:57 schrieb Darren Tucker:
> Suggestions:
> - "host" does DNS lookups, but is your system's nsswitch.conf or
> equivalent actually configured to use DNS?
Yes, it is:
hosts: myhostname resolve [!UNAVAIL=return] files dns

I tried to verify correct nss operation using getent. This is what I got:

[thomas@sarkovy ~]$ getent ahostsv4 htpc.koeller.dyndns.org
192.168.0.2 STREAM htpc.koeller.dyndns.org
192.168.0.2 DGRAM
192.168.0.2 RAW
[thomas@sarkovy ~]$ getent hosts 192.168.0.2
192.168.0.2 htpc.koeller.dyndns.org

> - have you turned off DNS lookups in sshd with "UseDNS no" in sshd_config?
No

> - you could try setting "HostbasedUsesNameFromPacketOnly yes" in sshd_config.
I know, but I do not want to do that.


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal