RE: ssh, gethostbyname, and hosts.deny, oh my!
On 12-Sep-2000 kmself@ix.netcom.com wrote:
[...]
> Sometimes ssh works. Sometimes it doesn't:
>
> [karsten@angel:karsten]$ ssh lists
> ssh_exchange_identification: Connection closed by remote host
>
> ...maybe 1 of 4 attempts succeeds.
>
> On the host, in /var/auth.log, I see:
>
> Sep 12 01:10:32 lists sshd[1884]: warning: /etc/hosts.deny, line 15:
> can't verify hostname: gethostbyname(140.208.171.207.in-addr.arpa)
> failed
looks like a dns problem (?)
> Sep 12 01:10:32 lists sshd[1884]: refused connect from
> 207.171.xxx.xxx
>
> ...and looking at /etc/hosts.deny, we find at line 15:
>
> ALL: PARANOID
The PARANOID option forces a dns lookup on the client. So if tcpd cannot
look up your hostname, it won't allow the connection.
>
> (the only non-comment line in the file).
>
> There are no entries in /etc/hosts.allow.
>
>
> Questions:
>
> - Can I fix this by allowing SSH access in /etc/hosts.allow. I'm
> assuming yes and will try this.
Yes you can. If you use only ssh, you could use "ALL EXCEPT sshd: ALL"
> - Why the periodic failure. If my address cannot be resolved, why
> should it appear to be resolving some of the time, but not always?
I experience this problem too sometimes. Maybe some dns guru knows the
answer.
>
> - Doesn this indicate a problem with the masquerading configuration
> (I'm not responsible for this)? Any further diagnostics to test
> this out?
Dunno. I've never used masquerading.
> Thanks.
>
> --
> Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself
> Evangelist, Opensales, Inc. http://www.opensales.org
> What part of "Gestalt" don't you understand? Debian GNU/Linux rocks!
> http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org
> GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
Reply to: