CVS is missing documentation for HostbasedUsesNameFromPacketOnly
Carson Gaspar
carson at taltos.org
Tue Sep 16 04:17:49 EST 2003
--On Monday, September 15, 2003 10:05:24 +0200 Markus Friedl
<markus at openbsd.org> wrote:
> On Sun, Sep 14, 2003 at 01:59:47PM -0400, Carson Gaspar wrote:
>> --On Saturday, September 13, 2003 5:33 PM +0200 Markus Friedl
>> <markus at openbsd.org> wrote:
>>
>> > HostbasedUsesNameFromPacketOnly is experimental and
>> > not documented. i think it violates the spec.
>>
>> Can you please elaborate? From my point of view, it is the _only_ sane
>> way to operate, as anything else looks at useless (from a security
>> perspective) IP and DNS data, as opposed to the cryptographically
>> authenticated data sent by the client.
>>
>> It also makes HostbasedAuthentication survive NAT, which is nice.
>
> than add dot in shosts and it works.
>
> this won't/cannot be changed for 3.7
No, it doesn't. Add a trailing dot in .shosts and in known_hosts and you
get a crypto error. The option is completely broken in current CVS. Moving
the trailing dot stripper up fixes it so it works just fine. You may
_choose_ not to fix it for 3.7, but there's absolutely no reason that you
couldn't, as it changes _nothing_ if you don't use
HostbasedUsesNameFromPacketOnly, and fixes the option being broken. You
just don't care if it works or not.
I really wonder why I bother wasting my time with this crap.
--
Carson
More information about the openssh-unix-dev
mailing list