Nicolas Williams wrote: > On Fri, Oct 31, 2008 at 12:09:11PM -0400, Kyle McDonald wrote: > > See HostbasedUsesNameFromPacketOnly and VerifyReverseMapping in > sshd_config(4): > > HostbasedUsesNameFromPacketOnly > > Controls which hostname is searched for in the files > ~/.shosts, /etc/shosts.equiv, and /etc/hosts.equiv. If > this parameter is set to yes, the server uses the name > the client claimed for itself and signed with that > host's key. If set to no, the default, the server uses > the name to which the client's IP address resolves. > > Setting this parameter to no disables host-based authen- > tication when using NAT or when the client gets to the > server indirectly through a port-forwarding firewall. > > and > > > VerifyReverseMapping > > Specifies whether sshd should try to verify the remote > host name and check that the resolved host name for the > remote IP address maps back to the very same IP address. > (A yes setting means "verify".) Setting this parameter > to no can be useful where DNS servers might be down and > thus cause sshd to spend much time trying to resolve the > client's IP address to a name. This feature is useful > for Internet-facing servers. The default is no. > > I saw those. Niether of them descirbe the case-(in)sensitivity of the hostname matching operations that sshd performs though.
The first one seemed somewhat applicable, but since I'm not using a NAT firewall, didn't seem applicable. I suppose from the description though it could remove DNS from the picture. What would need to match then? The client host's idea of it's own 'hostname', and the hostname for the key (and hosts.equiv?) on the destination? The second one seems like a good idea for added security when using hostbased authentication, but It's not clear how it would affect the hostname comparision? -Kyle > Nico >
