Re: AllowUsers not working under certain conditions

This is a discussion on Re: AllowUsers not working under certain conditions within the OpenSSH Development forums, part of the Networking and Network Related category; On Fri, Nov 18, 2005 at 12:43:18PM -0000, Donald Fraser wrote: > > Does the PTR record for ...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page Re: AllowUsers not working under certain conditions

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 11-18-2005
Peter Stuge
 
Posts: n/a
Default Re: AllowUsers not working under certain conditions
On Fri, Nov 18, 2005 at 12:43:18PM -0000, Donald Fraser wrote:
> > Does the PTR record for the IP address change along with the
> > A record for the name? I assume sshd does a reverse-lookup of the
> > IP-adress, otherwise it would be completely trivial to bypass the
> > check.
>
> I'm not exactly up on the terminology of the components of DNS
> entries but given an IP address the name returned is of the form:
> IP-IP-IP-IP.dyn.somedomain.com.

A is for name->IP.
PTR is for IP->name, or "reverse" lookup.

The name you show above is in the PTR record. And while you can have
donald.yourdomain.com point to the IP, the IP doesn't resolve back to
donald.yourdomain.com but instead to IP-IP-IP-IP.dyn.somedomain.com.


> However the reverse lookup of the name to IP address returns
> nothing, i.e. it doesn't exist in the DNS.
> Having looked at the code, this is where the problem lies.

Yep.


[..VerifyReverseMapping vs UseDNS..]

> I find this sort of change in behaviour frustrating to say the
> least! Why remove an option that defaulted to "no" and force one to
> use it - doesn't this take away the flexibility of the software?
>
> If security is what is at stake here then in order to user the
> software in the same way I am now, in fact, forced to reduce my
> level of security.

I'm pretty sure your guess is spot on. The possibility to disable
verification of IP-addresses vs. hostnames was likely removed
because, as I wrote, without that verification it is trivial for
anyone in control of a DNS-server serving PTR records to spoof their
connection as being from your allowed domain.


> Before I could use the option:
> AllowUsers Auser@*.somedomain.com
> One has to admit that, whilst having reverse mappping turned off,
> this is far more secure than the option I'm now forced to use to
> achieve the same of:
> AllowUsers Auser@*

I'm afraid not. DNS is not a secure system and anything that trusts
DNS will be vulnerable to all problems that DNS is vulnerable to.


> Does anybody know whether the VerifyReverseMapping option is going
> to be put back and what the reason for removing it in the first
> place was?

I doubt it will return.

May I suggest that you switch to using public key authetication and
disable the password and keyboard-interactive authentication methods?
I was afraid that my users would dislike that, but they didn't mind.
Some even appreciated the opportunity to learn how nice agent
forwarding is. :)


//Peter

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:08 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0