CVS is missing documentation for HostbasedUsesNameFromPacketOnly

Carson Gaspar carson at
Tue Sep 16 04:17:49 EST 2003

--On Monday, September 15, 2003 10:05:24 +0200 Markus Friedl 
<markus at> wrote:

> On Sun, Sep 14, 2003 at 01:59:47PM -0400, Carson Gaspar wrote:
>> --On Saturday, September 13, 2003 5:33 PM +0200 Markus Friedl
>> <markus at> wrote:
>> > HostbasedUsesNameFromPacketOnly is experimental and
>> > not documented. i think it violates the spec.
>> Can you please elaborate? From my point of view, it is the _only_ sane
>> way  to operate, as anything else looks at useless (from a security
>> perspective)  IP and DNS data, as opposed to the cryptographically
>> authenticated data  sent by the client.
>> It also makes HostbasedAuthentication survive NAT, which is nice.
> than add dot in shosts and it works.
> this won't/cannot be changed for 3.7

No, it doesn't. Add a trailing dot in .shosts and in known_hosts and you 
get a crypto error. The option is completely broken in current CVS. Moving 
the trailing dot stripper up fixes it so it works just fine. You may 
_choose_ not to fix it for 3.7, but there's absolutely no reason that you 
couldn't, as it changes _nothing_ if you don't use 
HostbasedUsesNameFromPacketOnly, and fixes the option being broken. You 
just don't care if it works or not.

I really wonder why I bother wasting my time with this crap.


More information about the openssh-unix-dev mailing list