Re: AllowUsers not working under certain conditions
This is a discussion on Re: AllowUsers not working under certain conditions within the OpenSSH Development forums, part of the Networking and Network Related category; > On Thu, Nov 17, 2005 at 12:50:53PM -0000, Donald Fraser wrote: > > The user donald can ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-18-2005
|
|||
|
|||
Re: AllowUsers not working under certain conditions
> On Thu, Nov 17, 2005 at 12:50:53PM -0000, Donald Fraser wrote:
> > The user donald can connect from the local sub-net specified IP > > address but cannot connect from an external domain that matches the > > pattern *mydomain.com. The only way I can get the user donald to > > connect on the external domain is by putting the exact IP address > > in the AllowUsers option, which is not particularly useful as it is > > a dynamically changing IP address. Peter Stuge wrote: > Does the PTR record for the IP address change along with the > A record for the name? I assume sshd does a reverse-lookup of the > IP-adress, otherwise it would be completely trivial to bypass the > check. I'm not exactly up on the terminology of the components of DNS entries but given an IP address the name returned is of the form: IP-IP-IP-IP.dyn.somedomain.com. However the reverse lookup of the name to IP address returns nothing, i.e. it doesn't exist in the DNS. Having looked at the code, this is where the problem lies. In version 3.5p1 there was the following option VerifyReverseMapping Specifies whether sshd should try to verify the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is no Some time after the above version and before or in version 3.9p1 the above option was removed and replaced by the following option: UseDNS Specifies whether sshd should lookup the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is yes Now the two options look very similar but having examined the code they are clearly not! The new UseDNS option when set to "no" means that given an IP address the host name will not be looked up, and therefore the host name will default to the IP address. Therefore domain names of any sort in your AllowUsers option will never work! I think the manual should be more clear on this. When the UseDNS option is set to "yes", given an IP address the host name will be looked but an addtional check - the resolved host name for the remote IP address maps back to the very same IP address is performed - whether you like it or not! Therefore what use to be a default of "no" for VerifyReverseMapping now defaults to "yes" if you want to use domain names in your AllowUsers option! Again this is not clear in the manual. I find this sort of change in behaviour frustrating to say the least! Why remove an option that defaulted to "no" and force one to use it - doesn't this take away the flexibility of the software? If security is what is at stake here then in order to user the software in the same way I am now, in fact, forced to reduce my level of security. Before I could use the option: AllowUsers Auser@*.somedomain.com One has to admit that, whilst having reverse mappping turned off, this is far more secure than the option I'm now forced to use to achieve the same of: AllowUsers Auser@* Does anybody know whether the VerifyReverseMapping option is going to be put back and what the reason for removing it in the first place was? Regards Donald Fraser _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://www.mindrot.org/mailman/listi...enssh-unix-dev 
|
Linear Mode
