Package: openssh-server Version: 1:8.4p1-5 Dear maintainers, When doing host-based authentication, sshd tries to look up the hostname of the IP that's connecting and compares it to a hostname sent by the client. If they don't match, the connection is refused. If they match, then sshd looks for a known host key for the client hostname. Typically the administrator setting up host-based authentication has manually added this to /etc/ssh/ssh_known_hosts. The ssh client is hardcoded to send the result of gethostname(2). On Debian systems, this is the short hostname, not the FQDN. But that causes a few problems with the above: - When sshd looks up a hostname for the IP that's connecting it will typically get a FQDN in response, which won't match the short hostname provided by the client. This means that in practice one always has to disable the lookup by setting HostbasedUsesNameFromPacketOnly to yes if you're expecting ssh clients on Debian hosts to try to connect. - The entry added to /etc/ssh/ssh_known_hosts must be keyed by the short hostname, so that it can be successfully looked up. But (at least in my mind) host keys are more properly associated with FQDNs not short hostnames, and in any case there is the potential for clashes, which is much less likely when indexing keys by FQDN. I conjecture that that the way host-based authentication works in OpenSSH implicitly assumes that gethostname(2) returns the FQDN, as it does on some non-Debian GNU/Linux systems and perhaps other unixes. If that's right, then perhaps the OpenSSH client in Debian should be patched to send the FQDN when doing host-based authentication. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature