How to specify chost (client hostname) used for hostbased authentication?

Fri Sep 5 19:45:33 AEST 2025

Thanks!
I am not that familiar with HostbasedAuthentication, or rather how it was/is actually used and what the background is.
To me, the whole thing with SSHKeySign looks like the server could actually SSH back to the client(’s server), have the server sign/verify it (sort of out-of-band) and then accept/reject the original authentication, not sure if something like that is behind this design or not but that’s why my thoughts went for verifying the hostname by forward DNS lookup…

Unfortunately I am not a dev, so I hope someone picks up this feature, possibly. Hostbased authentication doesn’t seem to get as much love as it should (especially in the context of bastions/jumphosts being deployed heavily in the clouds).

Jan

> On 5. 9. 2025, at 11:30, Brian Candler <b.candler at pobox.com> wrote:
> 
> On 05/09/2025 09:45, Jan Schermer wrote:
>> I have a question about hostbased authentication. It looks like the client does a reverse DNS lookup on the IP it is connecting from and uses that hostname as chost - which fails if it’s a dynamic IP (though wildcards in some places seem to work).
> For reference: https://www.rfc-editor.org/rfc/rfc4252.html#section-9
> 
> The point under consideration is: how does the openssh client select the chost value to put in the auth exchange for "hostbased" authentication?
> 
> From the source:
> 
>         /* figure out a name for the client host */
>         lname = get_local_name(ssh_packet_get_connection_in(ssh));
>         if (lname == NULL) {
>                 error_f("cannot get local ipaddr/name");
>                 goto out;
>         }
> 
>         /* XXX sshbuf_put_stringf? */
>         xasprintf(&chost, "%s.", lname);
>         debug2_f("chost %s", chost);
> 
> ...
> 
> char *
> get_local_name(int fd)
> {
>         char *host, myname[NI_MAXHOST];
> 
>         /* Assume we were passed a socket */
>         if ((host = get_socket_address(fd, 0, NI_NAMEREQD)) != NULL)
>                 return host;
> 
>         /* Handle the case where we were passed a pipe */
>         if (gethostname(myname, sizeof(myname)) == -1) {
>                 verbose_f("gethostname: %s", strerror(errno));
>                 host = xstrdup("UNKNOWN");
>         } else {
>                 host = xstrdup(myname);
>         }
> 
>         return host;
> }
> 
> ...
> 
> and in turn, get_socket_address() uses getpeername() or getsockname() and getnameinfo() to resolve.
> 
> So in short: I believe you're right, the chost that the client sends is chosen via reverse DNS of the client-side bound socket.
> 
> It does seem to me that it would be reasonable to have a client option to select an arbitrary chost string for host-based authentication (and/or to use the value of gethostname() only), but as far as I can see, no such option currently exists.
> 
> 
> 
>> Also I wonder if the server could/should just check forward DNS against the connecting IP as a better alternative to HostbasedUsesNameFromPacketOnly=yes, this would make it work with DynDNS services.
> Whatever hostname the client claims to have via chosts, it has to back that up by proving possession of the corresponding private key, so any DNS checks are arguably unnecesary.
> 
> Having said that, the RFC does say:
> 
>    Whenever possible, it is RECOMMENDED that the server perform
>    additional checks to verify that the network address obtained from
>    the (untrusted) network matches the given client host name.  This
>    makes exploiting compromised host keys more difficult.  Note that
>    this may require special handling for connections coming through a
>    firewall.
> Regards,
> 
> Brian.
> 