Bug 720

Summary: "UseDNS no" breaks public key login
Product: Portable OpenSSH Reporter: w sanders <wsanders1>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED WONTFIX    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: All   
OS: All   

Description w sanders 2003-09-27 07:34:18 AEST 
Setting "UseDNS no" as a temporary workaround for a host that does not have PTR
record breaks public key login for all hosts, even if they have valid, matching
A and PTR records. A message is logged to syslog: "sshd[1235]: Authentication
tried for <user> with correct key but not from a permitted host
(host=XXX.XXX.XXX.XXX, ip=XXX.XXX.XXX.XXX)." Host at IP XXX.XXX.XXX.XXX is a
host that is previously able to login when UseDNS is set to "yes". 

If this is not the intent of the UseDNS option
Comment 1 Damien Miller 2003-09-27 09:40:06 AEST 
are you talking about HostBased authentication, or user PublicKeyAuthentication?
Comment 2 w sanders 2003-09-30 07:24:41 AEST 
Ahhh, this was a usage error. You can close this bug. "UseDNS no" stops all DNS
references from occurring - I had expected it to only disable the restriction
that the host's IP be findable in a PTR DNS record. What was actually happening
is that from="<FQDN>" was in my authorized_keys file, and then "UseDNS no"
prevented sshd from looking up the IP of foo. SO sshd would complain "Your host
'11.22.33.44' is not permitted to use this key for login." when it also meant
"key found in the authorized_keys file for <GQDN> but not for 11.22.33.44".

The correct use of "UseDNS no" is to identify the key with 'from ="11.22.33.44"'
(the double quotes are required) rather than 'from="<FQDN>".
Comment 3 Damien Miller 2004-04-14 12:24:19 AEST 
Mass change of RESOLVED bugs to CLOSED