Using DynDNS names in authorized_keys

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Appearently checks in authorized_keys involving dynamic DNS names fail:

    from="" 1024 35 23...2334 ylo@niksula

As far as I can see, sshd doesn't check if "" maps to
the IP address of the connection. Instead it does a reverse name
resolution of the IP address of the connection, and since that points to
a name in the ISP's zone, the from test fails.

This behavior sounds reasonably secure.

Anyway, is there some other way to add an additional layer of security
using dynamic DNS addresses?


Re: Using DynDNS names in authorized_keys

Quoted text here. Click to load it

You probably want CheckHostIP=no.  I'm not 100% sure it'll do what you
want but there's a good chance it will.

$ man ssh_config
     If this flag is set to ``yes'', ssh will additionally check the
     host IP address in the known_hosts file.  This allows ssh to
     detect if a host key changed due to DNS spoofing.  If the option
     is set to ``no'', the check will not be executed.  The default is

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Using DynDNS names in authorized_keys

On Wed, 26 Nov 2003 04:32:37 +0000, Darren Tucker wrote:

Quoted text here. Click to load it

Thanks for the hint. As far as I can see, CheckHostIP would be the wrong
way around, but sshd's option "VerifyReverseMapping" sounds interesting:

             Specifies whether sshd should try to verify the remote host name
             and check that the resolved host name for the remote IP address
             maps back to the very same IP address.  The default is ``no''.
Strange thing is, that the verification appearently is off by default
(it's not overriden in my configuration file as well), and still it
doesn't work (and no, it also makes no difference if I explicitely set
VerifyReverseMapping=no on the server where I try to login).

From a quick browse through the openssh sources, I don't see where
VerifyReverseMapping=no could change the behavior: It looks like sshd is
always resolving the canonical hostname for the comparison...


Site Timeline