How to specify chost (client hostname) used for hostbased authentication?

Damien Miller djm at mindrot.org
Sun Sep 7 11:21:50 AEST 2025 

On Fri, 5 Sep 2025, Jan Schermer wrote:

> Hi, I have a question about hostbased authentication. It looks like
> the client does a reverse DNS lookup on the IP it is connecting from
> and uses that hostname as chost - which fails if it’s a dynamic
> IP (though wildcards in some places seem to work). The solution
> is to put this IP in /etc/hosts so that it picks the hostname the
> authenticating server has in ssh_known_hosts and hosts.equiv, but
> that’s not practical.
>
> Is there a way to just configure it for a client or system in a
> config file? It’s apparently not a security measure (at least with
> HostbasedUsesNameFromPacketOnly=yes)? The only workaround I found
> is to use “ssh -o BindAddress=10.1.2.3” which is my second loopback
> address that’s actually used for my FQDN in /etc/hosts.
>
> Also I wonder if the server could/should just check forward
> DNS against the connecting IP as a better alternative to
> HostbasedUsesNameFromPacketOnly=yes, this would make it work with
> DynDNS services.

There's intentionally no way for the user to specify the name that is
sent in the hostbased authentication message. Others have already
pointed to the code, but tldr it's the hostname that getnameinfo()
returns for the outbound address of the connection or gethostname()
if that fails.

I say intentionally, as offering the user the ability to specify
the name in the packet would create a signing oracle in ssh-keysign
that would allow the hostkeys to be used to sign arbitrary hostbased
auth requests.

If you want to effectively configure the name in the packet, then
you need to ensure that /etc/hosts has the name you want to use
associated with the outbound connection address, and that the system
is configured to use /etc/hosts. You can also do this via DNS, or
other NSS lookup mechanisms, but /etc/hosts is the easiest generally.

There might be other valid ways to do this, e.g. new knobs that can
only be set via the system /etc/ssh/ssh_config (ssh-keysign already
trusts this file).

-d

More information about the openssh-unix-dev mailing list