[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: can't verify hostname: getaddrinfo...



Ryan Golhar wrote:
I have a group of machines that are only accessible by users from
certain ISPs.  One of those ISPs, we'll call abc.net.  The example IP
address I will use is 1.1.1.1

In my /etc/hosts.allow, I have:

sshd: LOCAL, .abc.net

This was working for some time, but somewhere along the last few weeks
or months stopped working, and I don't know why.
/var/log/secure reports the following:

sshd[7693]: warning: /etc/hosts.allow, line 10: can't verify hostname:
getaddrinfo(host-1-1-1-1.abc.net, AF_INET) failed
sshd[7693]: refused connect from 1.1.1.1 (1.1.1.1)

The users are real and were able to get access to these machines.  I've
verified that I can get access to the machines from a different ISP, in
fact, most of the users can.  It just seems to be this 1 provider that
these 2 users have.  Any ideas where I can start looking to find the
cause of this problem?

Ryan
On a hunch, this seems to be a DNS problem, I don't know whether this is correct but does the lookup "IP address" -> "reverse address" -> "IP address" seems to fail, probably because
the ISP has a messily configured DNS?

1) Try this on the command line (the 'rdig.pl' program is just a reverse lookup perl program that uses 'dig', see the attached program; use that or just execute 'dig 1.2.3.4.in-addr.arpa. PTR' instead of 'rdig.pl 4.3.2.1'

"rdig.pl 1.1.1.1" should give "host-1-1-1-1.abc.net" - if not, your setup won't work

"dig host-1-1-1-1.abc.net" should give "1.1.1.1" - if not, your setup SHOULD not work

2) See "man getaddrinfo"

Best regards,

-- David


----------8<-----------------rdig--------------------

#!/usr/bin/perl -w

if (!defined $ARGV[0]) {
 print STDERR "You have to pass an IP address to reverse-resolve\n";
 exit 1;
}

if ($ARGV[0] =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) {
 $reverse="$4.$3.$2.$1.in-addr.arpa";
open(PIPE,"/usr/bin/dig $reverse PTR|") or die "Could not open pipe: $!\n";
 @lines = <PIPE>;
 close(PIPE) or die "Could not close pipe: $!\n";
 foreach $line (@lines) {
   print $line;
 }
 exit 0;
}
else {
 print STDERR "The passed argument $ARGV[0] is not an IP address\n";
 exit 1;
}



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]