Steven M Campbell wrote:
Sebastian Docktor wrote:
Hi,
I want to allow a Dynamic DNS Client to Access the SSH-Server on my Firewall. But I don't want to open SSH for all IPs,
Is it possible that iptables always looks up the ip address from the hostname, so that only the ip has access which is registrated under
the dyndns?
IMO, it's a very bad idea to lower the security of iptables firewall by making it dependent on DNS for any portion of authorization certification. DNS isn't exactly known for it's stellar security :) Allow me to suggest an alternate path. Use RSA keyfiles and disallow ssh password authentication, this way you can leave the port open but user's without public keys installed on the server cannot gain access. Generally speaking DNS should have nothing to do with anyone's firewall because DNS would then become the weak link in the security chain and SSH has methods that are better applied to these needs.
A quick look at the sshd_config man pages reveals
AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is
allowed only for user names that match one of the patterns. â*â and â?â can be used as wildcards in the patâ
terns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for
all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting
logins to particular users from particular hosts.
Sorry for straying off the topic folks, I think you might care to take this route.
