On Sat, 28 Dec 2013, Damien Miller wrote: > On Fri, 27 Dec 2013, Dan Mahoney, System Admin wrote: > >> I think the point here is that there's no option for openSSH to then >> *drop the connection* or refuse it. OpenSSH *checks*, but does not >> *enforce* anything. > > That's not entriely true. from=... restrictions in authorized_keys and > "Match host" sections in sshd_config depend on the hostname. In the > reverse-mapping check failed case, they don't get to see the original > (probably untrustworthy) hostname and are just passed the IP address. Right, and that was my point -- if you have a bunch of "match host" blocks, what do you put *outside* those blocks to just deny all connections? I don't see an option like "AllowUsers None" or "DenyUsers All" or "DenyUsers *", at least according to the manpage. In theory you could disable all authentication methods, which will cause login to fail, but there's no easy way to do an apache-style "deny from all", which in theory should happen even without doing a handshake in this situation. > Basically, the things that depend on the hostname will not be shown one > that appears spoofed. Okay, and will the things that depend on the hostname work at all if UseDNS is turned off? -Dan -- "A mother can be an inspiration to her little son, change his thoughts, his mind, his life, just with her gentle hum." -No Doubt, "Different People", from "Tragic Kingdom" --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
