# ssh: Reverse mapping revisited [SOLVED]

## jody

Hi

Since a little while i have enormous delays (>1min) when trying

to establish a ssh connection with a particular server using a major internet provider.

This delay takes place before the login prompt. 

Afterwards , everything is normal.

I found out that the server has a problem with reverse mapping checking:

```
**Unmatched Entries**

 reverse mapping checking getaddrinfo for xxx-xxx.x-xx.yyy.yyyyyyy.yy [xx.x.xxx.xxx] failed - POSSIBLE BREAK-IN ATTEMPT! : 1 time(s)

```

In a an older post 

https://forums.gentoo.org/viewtopic-t-248950-highlight-ssh+reverse+mapping+checking.html

somebody suggested to set 

```

VerifyReverseMapping no
```

in the server's /etc/ssh/sshd_config file, to prevent it from doing that check.

However, this option doesn't seem to be present in sshd_config (at least not as a commented out entry),

nd the man page for sshd_config also doesn't mention this.

Is it still possible to do this somehow?

If yes, is this dangerous?

Could it be possible to tell the server that the IP-address my laptop uses can be implicitly trusted,

whereas the reverse check should be done otherwise?

Thank you

  JodyLast edited by jody on Thu Mar 11, 2010 3:32 pm; edited 1 time in total

----------

## scherz0

 *Quote:*   

> Is it still possible to do this somehow? 

 

```
     UseDNS  Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the

             remote IP address maps back to the very same IP address.  The default is ``yes''.

```

 *Quote:*   

> Could it be possible to tell the server that the IP-address my laptop uses can be implicitly trusted,
> 
> whereas the reverse check should be done otherwise?
> 
> 

 

Would you trust some host if and only if it's IP can be reversed checked ?

----------

## jody

 *Quote:*   

> Would you trust some host if and only if it's IP can be reversed checked ?

 

I think for my purposes that would be ok.

So setting 'UseDNS' to ' no' would reverse check IP, but not host name?

As to the cause of this problem: does it lie with the internet provider?

Thank You

  Jody

----------

## scherz0

 *Quote:*   

> So setting 'UseDNS' to ' no' would reverse check IP, but not host name? 

 

No, it would disable reverse checking, which is what you are looking for.

Reverse check IP means : lookup name for the remote IP, then lookup IP for that name, then compare with remote IP.

 *Quote:*   

> As to the cause of this problem: does it lie with the internet provider? 

 

Yes.  Unfortunately many people don't care about reverse names.

 *Quote:*   

>  *Quote:*   Would you trust some host if and only if it's IP can be reversed checked ? 
> 
> I think for my purposes that would be ok. 

 

Sorry, I was unclear.  I was trying to make you think about the fact that having a PTR does not make you a good guy, and for sure not having one does not make you a bad guy.

So I think reverse checking is useless, as long as you don't rely on names within ssh (.shosts etc).

----------

## jody

Thank you for your reply.

I must admit that my knowledge of ssh internals is not big,

so your concluding remarks  *Quote:*   

> Sorry, I was unclear. I was trying to make you think about the fact that having a PTR does not make you a good guy, and for sure not having one does not make you a bad guy.
> 
> So I think reverse checking is useless, as long as you don't rely on names within ssh (.shosts etc).

 

still have me scratching my head: what does 'PTR' mean?

With 'rely on names within ssh' do you mean passwordless ssh, for example?

On this server i don't allow passwordless authentication, but use the /etc/hosts.allow to determine who gets in who doesn't.

Thank You

  Jody

----------

## desultory

 *jody wrote:*   

> still have me scratching my head: what does 'PTR' mean?

 It is a type of DNS record which maps an address to a name.

----------

## scherz0

 *Quote:*   

> With 'rely on names within ssh' do you mean passwordless ssh, for example?

 

No, I mean host-based authentication, like in .rhosts/.shosts mecanisms.

----------

## jody

because the server only allows a small range of IP-addresses,

and it neither uses .shosts nor passwordless log-ins i decided

to set UseDNS=no

Looks like It works ok now.

Thanks to all

  jody

----------

## boeroboy

Hi thanks this is helpful.  I've been cautious about disabling reverse DNS but we're having clusters of VMS alpha servers SFTP to our box and sometimes the node running SFTP don't check out with DNS.  It's very frustrating.  I wish there were a way to make exceptions for IP ranges instead of totally enabling/disabling it.

Thanks!

----------

