ssh, hosts.allow, hosts.deny, and dyndns names - SSH

This is a discussion on ssh, hosts.allow, hosts.deny, and dyndns names - SSH ; I had "sshd: .cn" in my server's hosts.deny file, and a dyndns setup on my laptop, with "sshd: myLaptopDyndns.host.name" (redacted) in hosts.allow on the server. I thought hosts.allow took precedence over hosts.deny, but when I was in China, it wouldn't ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: ssh, hosts.allow, hosts.deny, and dyndns names

  1. ssh, hosts.allow, hosts.deny, and dyndns names

    I had "sshd: .cn" in my server's hosts.deny file, and a dyndns setup
    on my laptop, with "sshd: myLaptopDyndns.host.name" (redacted) in
    hosts.allow on the server.

    I thought hosts.allow took precedence over hosts.deny, but when I was
    in China, it wouldn't let me log in. (I had to log into another
    machine somewhere else to log into my server to take "sshd: .cn" out
    and restart sshd, before it would work.)

    Is hosts.allow supposed to override hosts.deny?

    Or is the problem that dyndns-type addresses don't "reverse lookup"
    from the dynamic IP?

    Thanks



  2. Re: ssh, hosts.allow, hosts.deny, and dyndns names

    >>>>> "BS" == Bob Sterne writes:

    BS> I had "sshd: .cn" in my server's hosts.deny file, and a dyndns
    BS> setup on my laptop, with "sshd: myLaptopDyndns.host.name"
    BS> (redacted) in hosts.allow on the server.

    BS> I thought hosts.allow took precedence over hosts.deny, but when I
    BS> was in China, it wouldn't let me log in. (I had to log into
    BS> another machine somewhere else to log into my server to take
    BS> "sshd: .cn" out and restart sshd, before it would work.)

    BS> Is hosts.allow supposed to override hosts.deny?

    BS> Or is the problem that dyndns-type addresses don't "reverse
    BS> lookup" from the dynamic IP?

    Precisely. dyndns has control over its own DNS zone, but your ISP
    controls the reverse zone for its addresses; dyndns has no way to update
    that.

    BS> Thanks

    --
    Richard Silverman
    res@qoxp.net


  3. Re: ssh, hosts.allow, hosts.deny, and dyndns names

    Richard E. Silverman wrote:

    > >>>>> "BS" == Bob Sterne writes:

    >
    > BS> I had "sshd: .cn" in my server's hosts.deny file, and a dyndns
    > BS> setup on my laptop, with "sshd: myLaptopDyndns.host.name"
    > BS> (redacted) in hosts.allow on the server.
    >
    > BS> I thought hosts.allow took precedence over hosts.deny, but when I
    > BS> was in China, it wouldn't let me log in. (I had to log into
    > BS> another machine somewhere else to log into my server to take
    > BS> "sshd: .cn" out and restart sshd, before it would work.)
    >
    > BS> Is hosts.allow supposed to override hosts.deny?
    >
    > BS> Or is the problem that dyndns-type addresses don't "reverse
    > BS> lookup" from the dynamic IP?
    >
    > Precisely. dyndns has control over its own DNS zone, but your ISP
    > controls the reverse zone for its addresses; dyndns has no way to update
    > that.


    So anything in hosts.allow has to "reverse-lookup-able" to work.

    OK, thanks.














+ Reply to Thread