Re: ssh_exchange_identification: Connection closed by remote host PART II
* Gary Turner (kk5st@swbell.net) spake thusly:
> On Sun, 24 Mar 2002 13:12:56 -0600, Dimitri Maziuk wrote:
>
> >* Gary Turner (kk5st@swbell.net) spake thusly:
> >> On Sun, 24 Mar 2002 08:46:00 +0100, Sven Hoexter wrote:
> >>
> >> >On Sat, Mar 23, 2002 at 01:09:37PM -0800, Jaye Inabnit ke6sls wrote:
> >>
> <big snip>
> >
> >Didn't you read Sven's rely? It says "DNS problem" right there.
Make that "reply".
> >
> Yes, I did. Didn't you read mine?
> "If this is not germane to the thread, I apologize. If it is wrong, I
> seek instruction."
Well, it's relevant as most tcp apps rely on DNS for hostname
resolution. It's not particular to ssh or tcp wrappers, though.
DNS configuration, OTOH, is too big a topic for a quick instruction
in an email reply. There are books and howtos on the subject.
Just to give you a concrete example: assume 192.168.1.0 subnet.
Missing a trailing dot in RDNS zone, like this:
1 IN PTR host.foo.bar
dot missing here ---^
will result in reverse lookup for 192.168.1.1 returning something
like "host.foo.bar.in-addr.arpa". That will not match "*.foo.bar"
entry in hosts.allow, nor the entry in ssh's known hosts file.
So if DNS is b0rked, questions about tcp wrappers don't apply,
if you see what I mean.
The really interesting question is whether relying on something
as notoriously unreliable as DNS for access control is a sane
idea.
Dima
--
Tlaloc: What was Elrond's second name?
Gruber: Hubbard -- <ahbou=3C69EB63.A7C431F4@last.com>
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: