[nflug] ssh time/warner

John Nichel john at kegworks.com
Wed Nov 14 10:08:54 EST 2007 

Mark Musone wrote:
> That's not true. It shouldn't fail via reverse DNS checks (ssh doesn't
> verify reverse DNS, at least not by default).
> The key is not ip based, hence the whole point of ssh. It's certificate
> based, not ip based.
> Hosts.all does not come into play, as hosts.allow is only used by tcpd, the
> tcp wrapper. sshd typically runs as it's own daemon. (although you can run
> it under inetd (why would you want to do that??) )
> 

To the best of my knowledge, most distros ship with tcpwrappers support 
compiled into ssh.  Putting:

sshd:ALL

In my hosts.deny brings hosts.allow into play.

> I use sshd with dynamic dns all the time at home (granted, it's behind a nat
> router, so the actual internal machine ip never changes.
> 

The problem I think the OP is having is ssh'ing into a remote system 
from his home dynamic ip address (I have this issue with Verizon as 
well).  If you set you system to allow your current dynamic address in 
hosts.allow, and your ip changes, you won't be able to log into that 
remote system anymore.

FWIW, I can send an email from my home (when my ip changes) to a mail 
account I control, and a script on that box will receive the email, 
parse it, and update hosts.allow with my current ip.

> Mark
> 
> 
> 
> -----Original Message-----
> From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
> Cyber Source
> Sent: Wednesday, November 14, 2007 8:55 AM
> To: nflug at nflug.org
> Subject: Re: [nflug] ssh time/warner
> 
> I'm not sure that's going to do what he wants (correct me if I'm wrong), 
> as it will fail when it checks via reverse dns, even if it was mapped to 
> another box, if it's not static somewhere, the key will fail when the IP 
> changes. I believe he wants to limit the connections available for ssh 
> using his /etc/hosts.allow file. The best way I've found is to go with a 
> broad range like "69.71.", as the first 2 octets will probably never 
> change. He's just looking for the range(s) that they may use locally 
> here. I'm not sure myself. When it was Adelphia, you could always count 
> on 24., now with TW, I see all sorts, 69., 71, etc..
> 
> Robert Wolfe wrote:
>> Well, I usually use dyndns.org to handle all of that for me :)  I have 
>> a Windows Server 2003 box running the DynDns.org update client (the 
>> same machine that my BBS runs on) and it works perfectly (granted my 
>> Linux server runs in a VMWare box <G>).
>>
>> eric wrote:
>>> I'd like to cut down the possible network connections over the 
>>> internet for access to a ssh server.
>>> I can't afford a static ip so I was wondering if anyone new the range 
>>> of internet ip's handed out to users from time/warner ...I'm pretty 
>>> sure my DNS servers are coming from Lackawana?
>>>


-- 
John C. Nichel IV
System Administrator (ÜberGeek)
KegWorks
http://www.kegworks.com
716.362.9212 x16
john at kegworks.com

More information about the nflug mailing list