How to specify chost (client hostname) used for hostbased authentication?
Jan Schermer
jan at schermer.cz
Fri Sep 5 18:45:11 AEST 2025
Hi,
I have a question about hostbased authentication. It looks like the client does a reverse DNS lookup on the IP it is connecting from and uses that hostname as chost - which fails if it’s a dynamic IP (though wildcards in some places seem to work).
The solution is to put this IP in /etc/hosts so that it picks the hostname the authenticating server has in ssh_known_hosts and hosts.equiv, but that’s not practical.
Is there a way to just configure it for a client or system in a config file? It’s apparently not a security measure (at least with HostbasedUsesNameFromPacketOnly=yes)?
The only workaround I found is to use “ssh -o BindAddress=10.1.2.3” which is my second loopback address that’s actually used for my FQDN in /etc/hosts.
Also I wonder if the server could/should just check forward DNS against the connecting IP as a better alternative to HostbasedUsesNameFromPacketOnly=yes, this would make it work with DynDNS services.
Thanks
Jan
More information about the openssh-unix-dev
mailing list