>>>>> "BS" == Bob Sterne writes:

BS> I had "sshd: .cn" in my server's hosts.deny file, and a dyndns
BS> setup on my laptop, with "sshd: myLaptopDyndns.host.name"
BS> (redacted) in hosts.allow on the server.

BS> I thought hosts.allow took precedence over hosts.deny, but when I
BS> was in China, it wouldn't let me log in. (I had to log into
BS> another machine somewhere else to log into my server to take
BS> "sshd: .cn" out and restart sshd, before it would work.)

BS> Is hosts.allow supposed to override hosts.deny?

BS> Or is the problem that dyndns-type addresses don't "reverse
BS> lookup" from the dynamic IP?

Precisely. dyndns has control over its own DNS zone, but your ISP
controls the reverse zone for its addresses; dyndns has no way to update
that.

BS> Thanks

--
Richard Silverman
res@qoxp.net

Richard E. Silverman wrote:

> >>>>> "BS" == Bob Sterne writes:
>
> BS> I had "sshd: .cn" in my server's hosts.deny file, and a dyndns
> BS> setup on my laptop, with "sshd: myLaptopDyndns.host.name"
> BS> (redacted) in hosts.allow on the server.
>
> BS> I thought hosts.allow took precedence over hosts.deny, but when I
> BS> was in China, it wouldn't let me log in. (I had to log into
> BS> another machine somewhere else to log into my server to take
> BS> "sshd: .cn" out and restart sshd, before it would work.)
>
> BS> Is hosts.allow supposed to override hosts.deny?
>
> BS> Or is the problem that dyndns-type addresses don't "reverse
> BS> lookup" from the dynamic IP?
>
> Precisely. dyndns has control over its own DNS zone, but your ISP
> controls the reverse zone for its addresses; dyndns has no way to update
> that.

So anything in hosts.allow has to "reverse-lookup-able" to work.

OK, thanks.