1225239 – Hostname-based restrictions on incoming connections always fail to match

Bug 1225239 - Hostname-based restrictions on incoming connections always fail to match

Summary: Hostname-based restrictions on incoming connections always fail to match

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Jelen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-26 22:42 UTC by Benjamin Gilbert
Modified:	2015-05-28 07:57 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-05-27 13:44:19 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenSSH Project	2405	0	None	None	None	Never

Description Benjamin Gilbert 2015-05-26 22:42:44 UTC

Description of problem:
On three different machines upgraded from F21 to F22, hostname-based restrictions ("from" restriction in authorized_keys; AllowUsers config option containing a hostname) now fail to match incoming connections when they should.

Version-Release number of selected component (if applicable):
openssh-server-6.8p1-5.fc22

How reproducible:
Always

Steps to Reproduce:
1. Add SSH key to authorized_keys with hostname-based "from" restriction, e.g. 'from="host.example.org" ssh-rsa ...'
2. Try to connect from that host with that SSH key

Actual results:
Pubkey authentication fails; password prompt.

Expected results:
Connection succeeds.

Additional info:
This did not happen on Fedora 21 or prior.  "systemctl status sshd -l" shows a log message about "correct key but not from a permitted host", with the "host" value the same as the "ip" (rather than the correct hostname).

Comment 1 Jakub Jelen 2015-05-27 13:44:19 UTC

This is problem with DNS ... openssh-6.8 changed default value of UseDNS from yes to no so by default it doesn't translate ip addresses to hostnames. With specified "UseDNS yes" in your /etc/ssh/sshd_config it works as expected.

This was explicitly mentioned in Heads Up two months ago:
https://lists.fedoraproject.org/pipermail/devel/2015-March/209366.html

and it is also stated in release notes:
http://www.openssh.com/txt/release-6.8

Closing, it is not a bug.

Comment 2 Benjamin Gilbert 2015-05-28 00:51:14 UTC

I can confirm that "UseDNS yes" fixes the problem.

The upstream release notes do explicitly mention the change of behavior, but the announcement on devel@ only says that the default for UseDNS has been changed.  sshd_config(5) describes UseDNS like this:

    Specifies whether sshd(8) should look up the remote host name and check
    that the resolved host name for the remote IP address maps back to the
    very same IP address.  The default is "no".

I don't think it's obvious from that description that the option also disables reverse lookups for hostname matching.

Comment 3 Jakub Jelen 2015-05-28 07:57:34 UTC

OK. I didn't mention it explicitly that it was turned off. Sorry for it.

Yes, the documentation can be more obvious, but without doing what is mentioned in documentation, you don't have any way how to get hostname from IP.

If you have proposal for improvement of manual page, please share it with us here or directly with upstream bugzilla:
https://bugzilla.mindrot.org/show_bug.cgi?id=2405

Note You need to log in before you can comment on or make changes to this bug.