AllowUsers not working under certain conditions
Peter Stuge
stuge-openssh-unix-dev at cdy.org
Sat Nov 19 06:20:21 EST 2005
On Fri, Nov 18, 2005 at 12:43:18PM -0000, Donald Fraser wrote:
> > Does the PTR record for the IP address change along with the
> > A record for the name? I assume sshd does a reverse-lookup of the
> > IP-adress, otherwise it would be completely trivial to bypass the
> > check.
>
> I'm not exactly up on the terminology of the components of DNS
> entries but given an IP address the name returned is of the form:
> IP-IP-IP-IP.dyn.somedomain.com.
A is for name->IP.
PTR is for IP->name, or "reverse" lookup.
The name you show above is in the PTR record. And while you can have
donald.yourdomain.com point to the IP, the IP doesn't resolve back to
donald.yourdomain.com but instead to IP-IP-IP-IP.dyn.somedomain.com.
> However the reverse lookup of the name to IP address returns
> nothing, i.e. it doesn't exist in the DNS.
> Having looked at the code, this is where the problem lies.
Yep.
[..VerifyReverseMapping vs UseDNS..]
> I find this sort of change in behaviour frustrating to say the
> least! Why remove an option that defaulted to "no" and force one to
> use it - doesn't this take away the flexibility of the software?
>
> If security is what is at stake here then in order to user the
> software in the same way I am now, in fact, forced to reduce my
> level of security.
I'm pretty sure your guess is spot on. The possibility to disable
verification of IP-addresses vs. hostnames was likely removed
because, as I wrote, without that verification it is trivial for
anyone in control of a DNS-server serving PTR records to spoof their
connection as being from your allowed domain.
> Before I could use the option:
> AllowUsers Auser@*.somedomain.com
> One has to admit that, whilst having reverse mappping turned off,
> this is far more secure than the option I'm now forced to use to
> achieve the same of:
> AllowUsers Auser@*
I'm afraid not. DNS is not a secure system and anything that trusts
DNS will be vulnerable to all problems that DNS is vulnerable to.
> Does anybody know whether the VerifyReverseMapping option is going
> to be put back and what the reason for removing it in the first
> place was?
I doubt it will return.
May I suggest that you switch to using public key authetication and
disable the password and keyboard-interactive authentication methods?
I was afraid that my users would dislike that, but they didn't mind.
Some even appreciated the opportunity to learn how nice agent
forwarding is. :)
//Peter
More information about the openssh-unix-dev
mailing list