Bug 1225239
| Summary: | Hostname-based restrictions on incoming connections always fail to match | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Benjamin Gilbert <bgilbert> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | jjelen, mattias.ellert, mgrepl, plautrba, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-05-27 13:44:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is problem with DNS ... openssh-6.8 changed default value of UseDNS from yes to no so by default it doesn't translate ip addresses to hostnames. With specified "UseDNS yes" in your /etc/ssh/sshd_config it works as expected. This was explicitly mentioned in Heads Up two months ago: https://lists.fedoraproject.org/pipermail/devel/2015-March/209366.html and it is also stated in release notes: http://www.openssh.com/txt/release-6.8 Closing, it is not a bug. I can confirm that "UseDNS yes" fixes the problem.
The upstream release notes do explicitly mention the change of behavior, but the announcement on devel@ only says that the default for UseDNS has been changed. sshd_config(5) describes UseDNS like this:
Specifies whether sshd(8) should look up the remote host name and check
that the resolved host name for the remote IP address maps back to the
very same IP address. The default is "no".
I don't think it's obvious from that description that the option also disables reverse lookups for hostname matching.
OK. I didn't mention it explicitly that it was turned off. Sorry for it. Yes, the documentation can be more obvious, but without doing what is mentioned in documentation, you don't have any way how to get hostname from IP. If you have proposal for improvement of manual page, please share it with us here or directly with upstream bugzilla: https://bugzilla.mindrot.org/show_bug.cgi?id=2405 |
Description of problem: On three different machines upgraded from F21 to F22, hostname-based restrictions ("from" restriction in authorized_keys; AllowUsers config option containing a hostname) now fail to match incoming connections when they should. Version-Release number of selected component (if applicable): openssh-server-6.8p1-5.fc22 How reproducible: Always Steps to Reproduce: 1. Add SSH key to authorized_keys with hostname-based "from" restriction, e.g. 'from="host.example.org" ssh-rsa ...' 2. Try to connect from that host with that SSH key Actual results: Pubkey authentication fails; password prompt. Expected results: Connection succeeds. Additional info: This did not happen on Fedora 21 or prior. "systemctl status sshd -l" shows a log message about "correct key but not from a permitted host", with the "host" value the same as the "ip" (rather than the correct hostname).