> > That's not entriely true. from=... restrictions in authorized_keys > > and "Match host" sections in sshd_config depend on the hostname. In > > the reverse-mapping check failed case, they don't get to see the > > original (probably untrustworthy) hostname and are just passed the > > IP address. > Right, and that was my point -- if you have a bunch of "match host" > blocks, what do you put *outside* those blocks to just deny all > connections? I don't see an option like "AllowUsers None" or > "DenyUsers All" or "DenyUsers *", at least according to the manpage. > > In theory you could disable all authentication methods, which will > cause login to fail, but there's no easy way to do an apache-style > "deny from all", which in theory should happen even without doing a > handshake in this situation. You can always just restrict to key-based authentication, and then say AuthorizedKeysFile /dev/null or use DenyUsers *
