(Return to web page)

Post Comments

Comment Guidelines

All comments are moderated. The goal is not simply to eliminate obnoxious stuff, but to only allow useful on-topic discussions -- it's not a place to hang out. Moderation time is expected to be a day or two in most cases, but I do take vacations.

Your comments will be read by me, but they may not be posted. In particular, saying thanks or "you rock" or whatever is certainly appreciated, but I won't add it to the public comments unless there's useful information there for others. Comments that say "you suck" are much more likely to be posted, as long as a reason is given that's somewhat productive. Posting a comment is not a promise to keep it here forever, I may remove any or all comments at any time.

I may edit postings for simple and obvious errors, and I may remove profanity. Only listed HTML terms are allowed in messages. Name and email address will be fully stripped or quoted to prevent HTML tag usage and other possible abuses.

You can provide either a public or a private email address, or none at all. Private addresses are good if you want a personal response from me. I do not provide any automatic notification of new comments.

There is no re-editing after posting, however you can simply post again, and hopefully I'll notice this in moderating, and will post the latest version. If your post is already up, just add another post with any corrections, and in most cases I'll pub up both posts, rather than hand- correcting the original.

*Email addresses are scrambled and encoded in a non-mailto URL. People with javascript see a normal working email link, but robots (and people) without javascript see a URL with gibberish in it. This link is a sample with working javascript (clicking should bring up a mailer), and this link is appoximately how it looks without javascript (click to see how your address will look to people without javascript). If you view the source, you'll see they're all gibberish.

8 comments:

At 2021/05/27 14:57
Chris D wrote:

You say that, "Unfortunately there's no ssh_config pattern for hosts that means "match all hostnames with no dot". Have you considered this version?

Host *.*
Hostname %h
Host *
Hostname %h.example.com

Chris

At 2021/05/27 15:01
wrote:

No, I haven't tried that. It looks like it should work though. Thanks!

At 2021/06/20 19:53
Norm Gaywood wrote:

This was most helpful, thank you!

Some time ago the default in Fedora in sshd_config for UseDNS changed from Yes to No.

I found that I had to:
sshd_config:UseDNS yes

Otherwise I'd get a log message like this:
sshd[2540]: userauth_hostbased mismatch: client sends HOSTNAME, but we resolve 128.100.X.Y to 128.100.X.Y

See:
https://utcc.utoronto.ca/~cks/space/blog/sysadmin/OpenSSHUseDNSErrorAnnoyance

At 2021/08/20 9:23
BoBo wrote:

I have problem when I change ssh port. When I change ssh port I need to run another scanning ssh-keyscan to create new ssh_known_hosts file. New ssh_known_hosts file is different than old one. In old one file everything is in one line:
h,host,host.domain,IP key...
but in new one ssh_known_hosts file, which contain port number, every alias is in new line:
[h]:portNumber key...
[host]:portNumber key...
etc.

In this case above procedure fails when it read ssh_known_host2 second time(point 10.). It can't find fqdn hostname and hostbased authentication fails.
Is this work only on standard ssh 22 port?

At 2021/08/20 15:41
wrote:

I haven't seen this. I do have some entries in my known_hosts in this format but none of them are hostbased so it hasn't caused any issue. I have one guess though: are you using a non-privileged port? Hostbased authentication may require the answering port to be below 1024.

At 1969/12/31 19:00
Chris D wrote:

You say that, "Unfortunately there's no ssh_config pattern for hosts that means "match all hostnames with no dot". Have you considered this version?

Host *.*
Hostname %h
Host *
Hostname %h.example.com

Chris

At 1969/12/31 19:00
Norm Gaywood wrote:

This was most helpful, thank you!

Some time ago the default in Fedora in sshd_config for UseDNS changed from Yes to No.

I found that I had to:
sshd_config:UseDNS yes

Otherwise I'd get a log message like this:
sshd[2540]: userauth_hostbased mismatch: client sends HOSTNAME, but we resolve 128.100.X.Y to 128.100.X.Y

See:
https://utcc.utoronto.ca/~cks/space/blog/sysadmin/OpenSSHUseDNSErrorAnnoyance

At 1969/12/31 19:00
BoBo wrote:

I have problem when I change ssh port. When I change ssh port I need to run another scanning ssh-keyscan to create new ssh_known_hosts file. New ssh_known_hosts file is different than old one. In old one file everything is in one line:
h,host,host.domain,IP key...
but in new one ssh_known_hosts file, which contain port number, every alias is in new line:
[h]:portNumber key...
[host]:portNumber key...
etc.

In this case above procedure fails when it read ssh_known_host2 second time(point 10.). It can't find fqdn hostname and hostbased authentication fails.
Is this work only on standard ssh 22 port?

End Comments

Return to web page.

At 2021/05/27 14:57 Chris D wrote:	You say that, "Unfortunately there's no ssh_config pattern for hosts that means "match all hostnames with no dot". Have you considered this version? Host . Hostname %h Host * Hostname %h.example.com Chris
At 2021/05/27 15:01 wrote:	No, I haven't tried that. It looks like it should work though. Thanks!
At 2021/06/20 19:53 Norm Gaywood wrote:	This was most helpful, thank you! Some time ago the default in Fedora in sshd_config for UseDNS changed from Yes to No. I found that I had to: sshd_config:UseDNS yes Otherwise I'd get a log message like this: sshd[2540]: userauth_hostbased mismatch: client sends HOSTNAME, but we resolve 128.100.X.Y to 128.100.X.Y See: https://utcc.utoronto.ca/~cks/space/blog/sysadmin/OpenSSHUseDNSErrorAnnoyance
At 2021/08/20 9:23 BoBo wrote:	I have problem when I change ssh port. When I change ssh port I need to run another scanning ssh-keyscan to create new ssh_known_hosts file. New ssh_known_hosts file is different than old one. In old one file everything is in one line: h,host,host.domain,IP key... but in new one ssh_known_hosts file, which contain port number, every alias is in new line: [h]:portNumber key... [host]:portNumber key... etc. In this case above procedure fails when it read ssh_known_host2 second time(point 10.). It can't find fqdn hostname and hostbased authentication fails. Is this work only on standard ssh 22 port?
At 2021/08/20 15:41 wrote:	I haven't seen this. I do have some entries in my known_hosts in this format but none of them are hostbased so it hasn't caused any issue. I have one guess though: are you using a non-privileged port? Hostbased authentication may require the answering port to be below 1024.
At 1969/12/31 19:00 Chris D wrote:	You say that, "Unfortunately there's no ssh_config pattern for hosts that means "match all hostnames with no dot". Have you considered this version? Host . Hostname %h Host * Hostname %h.example.com Chris
At 1969/12/31 19:00 Norm Gaywood wrote:	This was most helpful, thank you! Some time ago the default in Fedora in sshd_config for UseDNS changed from Yes to No. I found that I had to: sshd_config:UseDNS yes Otherwise I'd get a log message like this: sshd[2540]: userauth_hostbased mismatch: client sends HOSTNAME, but we resolve 128.100.X.Y to 128.100.X.Y See: https://utcc.utoronto.ca/~cks/space/blog/sysadmin/OpenSSHUseDNSErrorAnnoyance
At 1969/12/31 19:00 BoBo wrote:	I have problem when I change ssh port. When I change ssh port I need to run another scanning ssh-keyscan to create new ssh_known_hosts file. New ssh_known_hosts file is different than old one. In old one file everything is in one line: h,host,host.domain,IP key... but in new one ssh_known_hosts file, which contain port number, every alias is in new line: [h]:portNumber key... [host]:portNumber key... etc. In this case above procedure fails when it read ssh_known_host2 second time(point 10.). It can't find fqdn hostname and hostbased authentication fails. Is this work only on standard ssh 22 port?