reverse mapping and ssh

Hello,

can ssh be set up in a way so that a connection can only be established
when :

[1] : the host that is trying to connect can be reverse mapped OR
[2] : the host is in the same domain as the server (and reverse mapping
is not needed then)

thanks,

Ron

Ron Croonenberg <ronc@depauw.edu> writes:

> Hello,
>
> can ssh be set up in a way so that a connection can only be established
> when :
>
> [1] : the host that is trying to connect can be reverse mapped OR

Compile it with tcp wrappers support and you'll be able to put `sshd:
PARANOID' in hosts.allow.

> [2] : the host is in the same domain as the server (and reverse mapping
> is not needed then)

What do you mean by `domain'?

Netblocks are trivially appended to the above line, or can be specified in
sshd_config, and hosts (or netblocks?) can be tied to specific public keys
in authorized_keys as well.

You don't want to rely on an external box having a PTR entry pointing at
something in your "domain", however.

~Tim
--
Famous moments vanish without trace |piglet@stirfried.vegetable.org.uk
Trees grow tall, fields grow wheat |http://www.photoboxgallery.com/timhaynes

> Compile it with tcp wrappers support and you'll be able to put `sshd:
> PARANOID' in hosts.allow.

ok, so it isn't in there by default ? I see entries in my secure log like:
Nov 2 21:26:38 thishost sshd[21860]: Could not reverse map address
210.0.142.182

>
>>[2] : the host is in the same domain as the server (and reverse mapping
>> is not needed then)
>
>
> What do you mean by `domain'?

domain as in DNS domain, or IP pool

> Netblocks are trivially appended to the above line, or can be
specified in
> sshd_config, and hosts (or netblocks?) can be tied to specific public keys
> in authorized_keys as well.
>
> You don't want to rely on an external box having a PTR entry pointing at
> something in your "domain", however.

Well, what I want is this. If a host cannot be reverse mapped in DNS
and it is outside our organization then I don't want to accept a
connection with ssh. If it is within our organization I just want to
accept it.

maybe I was a bit vague about what I want,

Ron

Ron Croonenberg <ronc@depauw.edu> writes:

>> Compile it with tcp wrappers support and you'll be able to put `sshd:
>> PARANOID' in hosts.allow.
>
> ok, so it isn't in there by default ?

I'm not aware of it being there in any distro's default setup.

> I see entries in my secure log like: Nov 2 21:26:38 thishost sshd[21860]:
> Could not reverse map address 210.0.142.182

You will, of course, only get an actual rejection if you also have `ALL:
ALL' in hosts.deny.

>>>[2] : the host is in the same domain as the server (and reverse mapping
>>> is not needed then)
>> What do you mean by `domain'?
>
> domain as in DNS domain, or IP pool
>
>> Netblocks are trivially appended to the above line, or can be specified
>> in sshd_config, and hosts (or netblocks?) can be tied to specific public
>> keys in authorized_keys as well. You don't want to rely on an external
>> box having a PTR entry pointing at something in your "domain", however.
>
> Well, what I want is this. If a host cannot be reverse mapped in DNS and
> it is outside our organization then I don't want to accept a connection
> with ssh. If it is within our organization I just want to accept it.

`sshd: PARANOID 123.45.67.0/24' in hosts.allow, `ALL: ALL' in hosts.deny.
Add more IP-blocks to taste.

While you could also add a domain-name there, do not rely on PTR records in
DNS; they are outwith your control. ("Hey! I'm within your organization,
lookie!".) Hence use of CIDR-style netblocks in the above, no names.

~Tim
--
HACK THE PLANET! |piglet@stirfried.vegetable.org.uk
(Hackers, 1995) |http://spodzone.org.uk/cesspit/