CVS is missing documentation for HostbasedUsesNameFromPacketOnly

Markus Friedl markus at openbsd.org
Tue Sep 16 05:29:20 EST 2003


On Mon, Sep 15, 2003 at 02:17:49PM -0400, Carson Gaspar wrote:
> 
> --On Monday, September 15, 2003 10:05:24 +0200 Markus Friedl 
> <markus at openbsd.org> wrote:
> 
> >On Sun, Sep 14, 2003 at 01:59:47PM -0400, Carson Gaspar wrote:
> >>--On Saturday, September 13, 2003 5:33 PM +0200 Markus Friedl
> >><markus at openbsd.org> wrote:
> >>
> >>> HostbasedUsesNameFromPacketOnly is experimental and
> >>> not documented. i think it violates the spec.
> >>
> >>Can you please elaborate? From my point of view, it is the _only_ sane
> >>way  to operate, as anything else looks at useless (from a security
> >>perspective)  IP and DNS data, as opposed to the cryptographically
> >>authenticated data  sent by the client.
> >>
> >>It also makes HostbasedAuthentication survive NAT, which is nice.
> >
> >than add dot in shosts and it works.
> >
> >this won't/cannot be changed for 3.7
> 
> No, it doesn't. Add a trailing dot in .shosts and in known_hosts and you 
> get a crypto error.

crypto error?

> The option is completely broken in current CVS. Moving 

I don't see what's different from the last release.

I just tested HostbasedAuthentication again and it works
without problems.  Even with UseDNS=no.

> the trailing dot stripper up fixes it so it works just fine. You may 
> _choose_ not to fix it for 3.7, but there's absolutely no reason that you 
> couldn't, as it changes _nothing_ if you don't use 
> HostbasedUsesNameFromPacketOnly, and fixes the option being broken. You 

As I said before, I'm sorry it's too late to change this for 3.7.

Moreover, HostbasedUsesNameFromPacketOnly is experimental
and not a recommended.

> just don't care if it works or not.
> 
> I really wonder why I bother wasting my time with this crap.

-m




More information about the openssh-unix-dev mailing list