https://community.hpe.com/t5/operating-system-hp-ux/ssh-amp-hosts-allow/m-p/5081036#M440477 Shalom Tim,<BR /><BR />Not that I know of, though a similar device exists in the sshd_config file, it is worth a look.<BR /><BR />Generally people use trp_wrappers, free from <A href="http://software.hp.com" target="_blank">http://software.hp.com</A> to handle these issues.<BR /><BR />SEP Thu, 22 Nov 2007 12:38:38 GMT Steven E. Protter 2007-11-22T12:38:38Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-amp-hosts-allow/m-p/5081035#M440476 HI All,<BR /><BR />I now have ssh working on my test server (thanks Matti). I want to try and restrict access to certain PC names if possible. I can restrict access to the IP address of my PC by putting an entry sshd:11.22.333.44 in hosts.allow. However, if I change this address to the fully qualified domain name of my pc I am denied access. I can ping the fully qualified domain name of my pc successfully. Is it possible to do this with hosts.allow/hosts.deny?<BR /><BR />Thanks,<BR /><BR />Tim Thu, 22 Nov 2007 12:15:12 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-amp-hosts-allow/m-p/5081035#M440476 Tim O'Connell 2007-11-22T12:15:12Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-amp-hosts-allow/m-p/5081036#M440477 Shalom Tim,<BR /><BR />Not that I know of, though a similar device exists in the sshd_config file, it is worth a look.<BR /><BR />Generally people use trp_wrappers, free from <A href="http://software.hp.com" target="_blank">http://software.hp.com</A> to handle these issues.<BR /><BR />SEP Thu, 22 Nov 2007 12:38:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-amp-hosts-allow/m-p/5081036#M440477 Steven E. Protter 2007-11-22T12:38:38Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-amp-hosts-allow/m-p/5081037#M440478 (SEP: HP-provided SSH uses libwrap, i.e. the same code as in the tcpwrapper utility. Because sshd needs to generate session keys at startup, it is not efficient to make ssh start from inetd.)<BR /><BR />Sounds like your DNS service might not have a valid reverse lookup record (PTR record) for your PC. It's not very intuitive, but for DNS, "what's the IP address for this name" and "what's the name of this IP address" are completely unrelated pieces of data, even if they refer to the same name/address pair.<BR /><BR />On your test server: run "nslookup name.of.your.pc", then run "nslookup ip.address.of.your.pc". Both should report essentially the same answer. However, I'm guessing you'll be getting something unexpected from the latter query.<BR /><BR />When you ping your PC using the FQDN, the ping command needs to find the IP address before it can start sending the pings: this is the "standard" DNS lookup.<BR /><BR />When ssh receives a connection, it only knows the source IP address from the packet headers. As the hosts.allow rule might be very complex, it is not efficient to make standard DNS lookups to every hostname listed in the hosts.allow lines. Instead, the libwrap code makes a reverse DNS lookup for the IP address. If the reverse lookup data in the DNS server is up to date, the reverse lookup produces a fully-qualified hostname of the client (your pc, in this case). If this name matches one of the hostnames listed in hosts.allow line, you are granted access.<BR /><BR />Unfortunately, forgetting to update the reverse DNS information is one of the most common DNS administration mistakes.<BR /><BR />MK Fri, 23 Nov 2007 03:27:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-amp-hosts-allow/m-p/5081037#M440478 Matti_Kurkela 2007-11-23T03:27:45Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-amp-hosts-allow/m-p/5081038#M440479 Thanks for the replies. Points assigned<BR /><BR />Tim Mon, 26 Nov 2007 04:20:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-amp-hosts-allow/m-p/5081038#M440479 Tim O'Connell 2007-11-26T04:20:45Z