Description of problem: Version-Release number of selected component (if applicable): How reproducible: * Always Steps to Reproduce: 1. Set up a machine `foo.org' that is also known as `bar.com' (through a CNAME entry) 2. on the machine, run "ssh bar.com pwd" 3. look in /var/log/secure Actual results: * The log file will have a bogus alert saying: Address <your-ip> maps to foo.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Expected results: * Not expecting any alerts Additional info: This error message comes from `get_remote_hostname' in "canohost.c" in the openssh source. I traced some of it, and it looks like it gets to do a lookup for your real name ("foo.org" in the above example), and that returns "127.0.0.1", which is different from "<your-actual-ip>". You can see that by printing the values of `ntop' and `ntop2' (before their comparison fails) and see that the first is your IP address, and the second is "127.0.0.1".
You probably have foo.org in /etc/hosts with the 127.0.0.1 entry. Otherwise <your-actual-ip> should be returned.
My 127.0.0.1 entry in /etc/hosts looks like this: # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 foo foo.org localhost.localdomain localhost ::1 foo foo.org localhost.localdomain localhost Are you saying that it should *not* have "foo" and "foo.org" in there? (That does seems to make the alert message go away, but the comment at the beginning of the hosts file makes me worried. I'm not the one who wrote it.)
It is written by anaconda during install but when you have actual non localhost IP the foo and foo.org should be removed manually from these lines and another entries with the actual IP address should be added.
It would be a *very* good idea to make the generated comment explain all that. Or at least refer to some url where it is explained.
Wouldn't this same problem occur if you had multiple IP addresses on the same server?
Only if all of them reverse mapped to a single DNS name and that is clearly broken setup. Here the problem is that reverse mapping for external IP maps to foo.org but it resolves to 127.0.0.1 and not the external IP.
Even if you have an IPv4 and IPv6 address reverse to a single DNS name?