@Home in fremont vs. tcpwrappers

Stuart Marshall stuart@igpp.ucllnl.org
Mon, 17 Dec 2001 11:42:28 -0800


Hi,

Indeed I do have ALL : ALL@PARANOID : DENY in hosts.allow.

It seems AT&T is getting things fixed as I can now lookup
12-234-242-65.client.attbi.com:

   # host 12-234-242-65.client.attbi.com
   12-234-242-65.client.attbi.com  A       12.234.242.65

but the line:

   sshd, sshdfwd-X11  : 12.234.242.65/255.255.252.0 : ALLOW

still does not work.

However, the line:

   sshd, sshdfwd-X11  : 12-234-242-65.client.attbi.com : ALLOW

does work.  So it appears that I can't put the whole subnet
in but I can put in the hostname that I presently have under
AT&T's dhcp system.

Stuart

Quoting Matt Zimmerman (mdz@debian.org):
> On Thu, Dec 13, 2001 at 10:29:50AM -0800, Stuart Marshall wrote:
> 
> > in my (at work) /etc/hosts.allow file, I've attempted to let in the
> > subnet that my @home ip is on.  The logs indicate that I connect but
> > the tcpwrapper routines dump me because gethostbyname() fails.  Here
> > is the relevant stuff from the log file:
> > 
> >   can't verify hostname: gethostbyname(12-234-242-65.client.attbi.com) failed
> > 
> > which was generated in the function sock_hostname(), causing it to
> > return PARANOID which then caused my @home ssh client to get dumped.
> > 
> > Does anyone know how to set up /etc/hosts.allow to let in a subnet
> > where the hostname for the incoming ip address cannot be looked up?
> > I've re-read the hosts_access manpage several times and don't see a
> > way.  Or perhaps I need some additional options for dhclient to get
> > the hostname lookup to work correctly.  My home computer thinks it
> > has another hostname.  I do want to restrict access to subnets.
> 
> You probably have an entry in /etc/hosts.deny like:
> 
> ALL: PARANOID
> 
> which is causing this behavior.  You can remove that line, or,
> alternatively, you can try to get your ISP to fix their DNS (good luck).
> 
> I _think_ that even if you remove this line, the two-way lookup is still
> done when you are using hostname-based authentication, so you will need to
> use all IP addresses for the ssh service regardless of whether PARANOID is
> enabled.
>