Normally during hostbased authentication, sshd strips any trailing dot from the hostname supplied by the client in the hostbased authentication request. However, when HostbasedUsesNameFromPacketOnly is set, it does not. This is bad for two reasons: 1) While one could interpret the option as saying that sshd should use the name verbatim, I believe this is not a useful interpretation. Rather, the point of the option is to rely only on the client-supplied name, rather than checking the DNS and refusing authentication if the names do not match. The question of what the name *is*, is a separate concern. Since the hostnames in shosts.equiv, all ~/.shosts files, and the known-hosts file will not have trailing dots, hostbased will fail until all these files are updated. Surely this is not the intention. 2) Even after fixing all the names, hostbased authentication still does not work, because the signed data in the authentication request includes the hostname: one side uses the dot, the other does not, and the signature is bad.
Created attachment 1150 [details] patch patch fixes the bug
*** Bug 1248 has been marked as a duplicate of this bug. ***
patch applied - this will be in the openssh-5.1 release. Thanks!
Mass update RESOLVED->CLOSED after release of openssh-5.1