| Summary: | Match support for HostbasedUsesNameFromPacketOnly | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Iain Morgan <imorgan> | ||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | enhancement | CC: | djm | ||||
| Priority: | P2 | ||||||
| Version: | -current | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 1708 | ||||||
| Attachments: |
|
||||||
I'll try to commit this together with Match support for AuthorizedKeys and a couple of others. Please see attachment #1863 [details] on bug #1764 fixed as part of bug #1764 - this will be in OpenSSH 5.6 Move resolved bugs to CLOSED after 5.7 release |
Created attachment 1860 [details] Enable Match support for HostbasedUsesNameFromPacketOnly Currently HostbasedUsesNameFromPacketOnly can only be set as a global sshd_config option. This means that if hostbased authentication is enabled and some of the client hosts are behind a NAT, then all hostbased authentication attempts must only use the hostname from the authentication packet. A more surgical approach would be to allow this option to be enabled on a per-IP bases. Thus the resolved name could be used for clients that are not behind a NAT and those behind a NAT could use the name supplied in the packet.