hosts.allow / hosts.deny doesn't resolve DNS entries

[bigdav1178]

I am trying to set up secure SSH access to my desktop, restricting access to only those hosts I approve of. I have already set up my sshd_config file and /etc/hosts.allow file to restrict access to the service, and it is working properly EXCEPT that is fails to allow hosts using fully-qualified DNS addresses. Specifically, I am attempting to use some dynamic dns names to point to a few hosts with dynamic IP addresses over the Internet. If I use the coordinating IP addresses for these hosts, access is allowed properly, but my system does not seem to identify them by their DNS addresses. The problem does not appear to be a DNS issue with my system, as I can ping / nslookup the DNS addresses, and they resolve properly.

For reference, here is a representation of my /etc/hosts.allow (IP addresses and DNS names are "masked"):

#
# hosts.allow   This file describes the names of the hosts which are
#      allowed to use the local INET services, as decided
#      by the '/usr/sbin/tcpd' server.
#

ALL : localhost,127.0.0.1 : allow
sshd : <IP_address_machine1>,<IP_address_machine2> : allow
sshd : <Hostname_machine3>.dnydns.org : allow
sshd : <Hostname_machine4>.dyndns.org : allow
ALL : ALL : deny

[melodie]

Hi,

I am not a specialist, but what I notice is: you are already in an "allow" file. Why do you add allow at the end of each line ?

Here is my host.allow file, for local access only:

Code: [Select]

## /etc/hosts.allow
##
sshd: 192.168.0.0/255.255.255.0
distccd: 192.168.0.0/255.255.255.0
## End of file

(and it's most probably wrong because we have changed family adress.. :/ )

[bigdav1178]

Thanks for the suggestion, but no change. 

[melodie]

Thanks for the suggestion, but no change. 

Hi,
I suggest you read the manual of sshd, then other relevant manuals indicated at the end. (You know ? "man sshd"). There are very interesting options there which might be very helpful to you for what you need to do.

One example I think about could be this part:

AUTHORIZED_KEYS FILE FORMAT
     AuthorizedKeysFile specifies the files containing public keys for public
     key authentication; if none is specified, the default is
     ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.  Each line of the
     file contains one key (empty lines and lines starting with a ‘#’ are
     ignored as comments). (...)

and maybe other parts of the manual may help you.

Else, I re-read your post and see you use dyndns. I think I remember there is a program, something such as a client...

Something like:

$ apt-cache search dyndns
ez-ipupdate - Client for Dynamic DNS Services
ddclient - A client to update host entries on DynDNS like services

You may want to have a look here:
http://dyn.com/support/clients/linux/

and here:
http://dyn.com/support/clients/linux/ddclient/

Good luck,
Mélodie

[bigdav1178]

I am aware of the keys and authorized hosts files for SSH, but they apply to SSH authorization - if they were not configured properly, I would not be able to connect using the current IP addresses for those dyndns hosts either (and I've verified I am able to connect using their respective addresses).

I have used ddclient in the past, but currently have the router configured to update the IP address for one host, and the other host has its own dyndns client. On my end, however, ddclient wouldn't do anything - it's purpose is to send a client machine's current IP address to the dyndns servers, so that queries for that client machine's address return the current IP address. I have already verified that manual DNS lookups for both clients do return the proper IP addresses, the hosts.allow/deny files just don't seem to query the hostnames for their IP addresses.

So, still at the same point, but again, thanks for the suggestions.


For what it is worth, I've found that if I put the hostnames into the /etc/hosts file with fixed IP addresses, hosts.allow/deny will resolve the hostnames. This would be fine if they were static addresses, but since they are dynamic, they change quite often - for a mobile device, it could change several times in a single day. I've considered setting up a cron job to update the addresses in the /etc/hosts file at a regular interval, but it'd be nice if there was a better/cleaner way to keep the addresses updated (like querying for the address as it is accessed). Anyone have any thoughts?

[bigdav1178]

Well, for now I've got a workaround in place:
I've added each host with a dynamic address to /etc/hosts, and created a script to check the saved IP address for each host in /etc/hosts against a dns lookup of the host. If the DNS lookup and the saved IP address do not match, a 'sed' command is used to substitute the entry with the current IP address. The script has been added as a cron job that runs every 5 minutes to ensure a fairly timely update.

It's dirty, but it serves the purpose for now. If anyone has any other thoughts, please share. Thanks!