It's seems a reverse DNS issue. You could pass through this check setting UseDNS in sshd_config to No. On 8/3/06, Ryan Golhar <golharam@xxxxxxxxx> wrote:
Interesting. If I do 'dig host-1.1.1.1.abc.net', I get: --BEGIN-- ; <<>> DiG 9.2.4 <<>> host-1-1-1-1.abc.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4560 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;host-1-1-1-1.abc.net. IN A --END However, if I use another entry from a user that works I get an Answer section. So I suspect something with abc.net's DNS is causing this. If I use your rdig.pl script, I get a valid ANSWER section: ;; ANSWER SECTION: 101.173.149.24.in-addr.arpa. 26292 IN PTR host-1-1-1-1.abc.net If I use another ISP entry (mine for instance), I get a similar answer section, so I don't see a different with rdig. -----Original Message----- From: David Tonhofer [mailto:d.tonhofer@xxxxxxxxxxx] Sent: Thursday, August 03, 2006 1:18 PM To: golharam@xxxxxxxxx; General Red Hat Linux discussion list Subject: Re: can't verify hostname: getaddrinfo... Ryan Golhar wrote: > I have a group of machines that are only accessible by users from > certain ISPs. One of those ISPs, we'll call abc.net. The example IP > address I will use is 1.1.1.1 > > In my /etc/hosts.allow, I have: > > sshd: LOCAL, .abc.net > > This was working for some time, but somewhere along the last few weeks > or months stopped working, and I don't know why. > > /var/log/secure reports the following: > > sshd[7693]: warning: /etc/hosts.allow, line 10: can't verify hostname: > getaddrinfo(host-1-1-1-1.abc.net, AF_INET) failed > > sshd[7693]: refused connect from 1.1.1.1 (1.1.1.1) > > The users are real and were able to get access to these machines. > I've verified that I can get access to the machines from a different > ISP, in fact, most of the users can. It just seems to be this 1 > provider that these 2 users have. Any ideas where I can start looking > to find the cause of this problem? > > Ryan > On a hunch, this seems to be a DNS problem, I don't know whether this is correct but does the lookup "IP address" -> "reverse address" -> "IP address" seems to fail, probably because the ISP has a messily configured DNS? 1) Try this on the command line (the 'rdig.pl' program is just a reverse lookup perl program that uses 'dig', see the attached program; use that or just execute 'dig 1.2.3.4.in-addr.arpa. PTR' instead of 'rdig.pl 4.3.2.1' "rdig.pl 1.1.1.1" should give "host-1-1-1-1.abc.net" - if not, your setup won't work "dig host-1-1-1-1.abc.net" should give "1.1.1.1" - if not, your setup SHOULD not work 2) See "man getaddrinfo" Best regards, -- David ----------8<-----------------rdig-------------------- #!/usr/bin/perl -w if (!defined $ARGV[0]) { print STDERR "You have to pass an IP address to reverse-resolve\n"; exit 1; } if ($ARGV[0] =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) { $reverse="$4.$3.$2.$1.in-addr.arpa"; open(PIPE,"/usr/bin/dig $reverse PTR|") or die "Could not open pipe: $!\n"; @lines = <PIPE>; close(PIPE) or die "Could not close pipe: $!\n"; foreach $line (@lines) { print $line; } exit 0; } else { print STDERR "The passed argument $ARGV[0] is not an IP address\n"; exit 1; } -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
-- Cleber P. de Souza -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list