[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

Quoting Andrew Pimlott (andrew@pimlott.ne.mediaone.net):
> PARANOID is there for people who want to do DNS hostname based
> authentication and have it be slightly less broken.  That's it.  Can
> anyone else document a real case in which denying based on PARANOID
> helped?
There is no such thing as DNS hostname based authentication.
Can you give an example where you would want to allow access from an
inconsequently configured machine, that is run by someone who doesn't know
how to configure DNSs ?
The PARANOID setting helps in 'pushing' people to do correct DNS
configuration, it helps auditing, it keeps your (and others') networks in a
consequent and (DNS-wise) correctly configured state.
If removing the 'ALL: PARANOID' line fixes things for you, or makes life
easier for you, you should look into configuring your servers first, before
requesting a workstation install that allows for access by broken
Machines with broken DNS should not be allowed to connect anyway, but should
either be fixed, and in the remote possibility that you do want to allow
access from broken machines, the admin can alter /etc/hosts.deny.


			      Linux Generation
   encrypted mail preferred. finger rvdm@debian.org for my GnuPG/PGP key.
      Zet mij maar in een hoek, met me kop naar de muur :) -- marijnv

Reply to: