Re: ssh_exchange_identification: Connection closed by remote host PART II
On Sun, 24 Mar 2002 18:29:39 -0600, Dimitri Maziuk wrote:
>* Gary Turner (firstname.lastname@example.org) spake thusly:
>> On Sun, 24 Mar 2002 13:12:56 -0600, Dimitri Maziuk wrote:
>> >Didn't you read Sven's rely? It says "DNS problem" right there.
>Make that "reply".
Hmph; I see so many typos on the lists, I don't even see my own any
>> Yes, I did. Didn't you read mine?
>> "If this is not germane to the thread, I apologize. If it is wrong, I
>> seek instruction."
>Well, it's relevant as most tcp apps rely on DNS for hostname
>resolution. It's not particular to ssh or tcp wrappers, though.
>DNS configuration, OTOH, is too big a topic for a quick instruction
>in an email reply. There are books and howtos on the subject.
OK, thanks. I put the neo in phyte and am building my system task at a
time. DNS and SSH are dishes I'm not ready to wash just yet. :)
>Just to give you a concrete example: assume 192.168.1.0 subnet.
>Missing a trailing dot in RDNS zone, like this:
>1 IN PTR host.foo.bar
> dot missing here ---^
>will result in reverse lookup for 192.168.1.1 returning something
>like "host.foo.bar.in-addr.arpa". That will not match "*.foo.bar"
>entry in hosts.allow, nor the entry in ssh's known hosts file.
Curiosity just bit me in the butt. Where does the .in-addr.arpa come
from? For example, if this were my LAN, bessie.blues matches
192.168.0.1. How/why would higher level domains be added? If the
reverse look-up went to the WAN, isn't the ~declared~ domain name
compared to the name registered to the IP?
If curiosity took too big a bite to cover with a Bandaid, no prob. I'll
get to the books soon enough.
>So if DNS is b0rked, questions about tcp wrappers don't apply,
>if you see what I mean.
Actually not, yet. ;~}
>The really interesting question is whether relying on something
>as notoriously unreliable as DNS for access control is a sane
Vagrant thought: Either hosts.access is not the appropriate tool in
this case, or the reverse look-up does not use it properly (from hosts.*
point of view). Either way, I dislike the idea of defaulting to allow
rather than deny.
See above in re Bandaid. :)
It is interesting to note that as one evil empire (generic) fell,
another Evil Empire (tm) began its nefarious rise. -- me
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org