AllowUsers not working under certain conditions

Peter Stuge stuge-openssh-unix-dev at
Sat Nov 19 06:20:21 EST 2005

On Fri, Nov 18, 2005 at 12:43:18PM -0000, Donald Fraser wrote:
> > Does the PTR record for the IP address change along with the
> > A record for the name? I assume sshd does a reverse-lookup of the
> > IP-adress, otherwise it would be completely trivial to bypass the
> > check.
> I'm not exactly up on the terminology of the components of DNS
> entries but given an IP address the name returned is of the form:

A is for name->IP.
PTR is for IP->name, or "reverse" lookup.

The name you show above is in the PTR record. And while you can have point to the IP, the IP doesn't resolve back to but instead to

> However the reverse lookup of the name to IP address returns
> nothing, i.e. it doesn't exist in the DNS.
> Having looked at the code, this is where the problem lies.


[..VerifyReverseMapping vs UseDNS..]

> I find this sort of change in behaviour frustrating to say the
> least! Why remove an option that defaulted to "no" and force one to
> use it - doesn't this take away the flexibility of the software?
> If security is what is at stake here then in order to user the
> software in the same way I am now, in fact, forced to reduce my
> level of security.

I'm pretty sure your guess is spot on. The possibility to disable
verification of IP-addresses vs. hostnames was likely removed
because, as I wrote, without that verification it is trivial for
anyone in control of a DNS-server serving PTR records to spoof their
connection as being from your allowed domain.

> Before I could use the option:
> AllowUsers Auser@*
> One has to admit that, whilst having reverse mappping turned off,
> this is far more secure than the option I'm now forced to use to
> achieve the same of:
> AllowUsers Auser@*

I'm afraid not. DNS is not a secure system and anything that trusts
DNS will be vulnerable to all problems that DNS is vulnerable to.

> Does anybody know whether the VerifyReverseMapping option is going
> to be put back and what the reason for removing it in the first
> place was?

I doubt it will return.

May I suggest that you switch to using public key authetication and
disable the password and keyboard-interactive authentication methods?
I was afraid that my users would dislike that, but they didn't mind.
Some even appreciated the opportunity to learn how nice agent
forwarding is. :)


More information about the openssh-unix-dev mailing list