AllowUsers not working under certain conditions

Donald Fraser demolish at kiwi-fraser.net
Fri Nov 18 23:43:18 EST 2005 

> On Thu, Nov 17, 2005 at 12:50:53PM -0000, Donald Fraser wrote:
> > The user donald can connect from the local sub-net specified IP
> > address but cannot connect from an external domain that matches the
> > pattern *mydomain.com. The only way I can get the user donald to
> > connect on the external domain is by putting the exact IP address
> > in the AllowUsers option, which is not particularly useful as it is
> > a dynamically changing IP address.

Peter Stuge wrote:
> Does the PTR record for the IP address change along with the
> A record for the name? I assume sshd does a reverse-lookup of the
> IP-adress, otherwise it would be completely trivial to bypass the
> check.

I'm not exactly up on the terminology of the components of DNS entries but
given an IP address the name returned is of the form:
IP-IP-IP-IP.dyn.somedomain.com.
However the reverse lookup of the name to IP address returns nothing, i.e.
it doesn't exist in the DNS.
Having looked at the code, this is where the problem lies.
In version 3.5p1 there was the following option

     VerifyReverseMapping
             Specifies whether sshd should try to verify the remote host
name and check that the resolved
             host name for the remote IP address maps back to the very same
IP address.  The default is
             no

Some time after the above version and before or in version 3.9p1 the above
option was removed and replaced by the following option:

     UseDNS  Specifies whether sshd should lookup the remote host name and
             check that the resolved host name for the remote IP address
maps
             back to the very same IP address.  The default is yes

Now the two options look very similar but having examined the code they are
clearly not!

The new UseDNS option when set to "no" means that given an IP address the
host name will not be looked up, and therefore the host name will default to
the IP address. Therefore domain names of any sort in your AllowUsers option
will never work! I think the manual should be more clear on this.

When the UseDNS option is set to "yes", given an IP address the host name
will be looked but an addtional check - the resolved host name for the
remote IP address maps back to the very same IP address is performed -
whether you like it or not!
Therefore what use to be a default of "no" for VerifyReverseMapping now
defaults to "yes" if you want to use domain names in your AllowUsers option!
Again this is not clear in the manual.

I find this sort of change in behaviour frustrating to say the least!
Why remove an option that defaulted to "no" and force one to use it -
doesn't this take away the flexibility of the software?

If security is what is at stake here then in order to user the software in
the same way I am now, in fact, forced to reduce my level of security.
Before I could use the option:
AllowUsers Auser@*.somedomain.com
One has to admit that, whilst having reverse mappping turned off, this is
far more secure than the option I'm now forced to use to achieve the same
of:
AllowUsers Auser@*

Does anybody know whether the VerifyReverseMapping option is going to be put
back and what the reason for removing it in the first place was?

Regards
Donald Fraser

More information about the openssh-unix-dev mailing list