can't verify hostname: getaddrinfo...

Thu Aug 3 17:37:06 UTC 2006

Interesting.  If I do

'dig host-1.1.1.1.abc.net', I get:

--BEGIN--
; <<>> DiG 9.2.4 <<>> host-1-1-1-1.abc.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4560
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;host-1-1-1-1.abc.net. IN   A
--END

However, if I use another entry from a user that works I get an Answer
section.  So I suspect something with abc.net's DNS is causing this.

If I use your rdig.pl script, I get a valid ANSWER section:

;; ANSWER SECTION:
101.173.149.24.in-addr.arpa. 26292 IN   PTR     host-1-1-1-1.abc.net

If I use another ISP entry (mine for instance), I get a similar answer
section, so I don't see a different with rdig.

-----Original Message-----
From: David Tonhofer [mailto:d.tonhofer at m-plify.com] 
Sent: Thursday, August 03, 2006 1:18 PM
To: golharam at umdnj.edu; General Red Hat Linux discussion list
Subject: Re: can't verify hostname: getaddrinfo...

Ryan Golhar wrote:
> I have a group of machines that are only accessible by users from 
> certain ISPs.  One of those ISPs, we'll call abc.net.  The example IP 
> address I will use is 1.1.1.1
>
> In my /etc/hosts.allow, I have:
>
> sshd: LOCAL, .abc.net
>
> This was working for some time, but somewhere along the last few weeks

> or months stopped working, and I don't know why.
>
> /var/log/secure reports the following:
>
> sshd[7693]: warning: /etc/hosts.allow, line 10: can't verify hostname:

> getaddrinfo(host-1-1-1-1.abc.net, AF_INET) failed
>
> sshd[7693]: refused connect from 1.1.1.1 (1.1.1.1)
>
> The users are real and were able to get access to these machines.  
> I've verified that I can get access to the machines from a different 
> ISP, in fact, most of the users can.  It just seems to be this 1 
> provider that these 2 users have.  Any ideas where I can start looking

> to find the cause of this problem?
>
> Ryan
>   
On a hunch, this seems to be a DNS problem, I don't know whether this is

correct but does
the lookup "IP address" -> "reverse address" -> "IP address" seems to 
fail, probably because
the ISP has a messily configured DNS?

1) Try this on the command line (the 'rdig.pl' program is just a reverse

lookup perl program that uses 'dig',
see the attached program; use that or just execute 'dig 
1.2.3.4.in-addr.arpa. PTR' instead of 'rdig.pl 4.3.2.1'

"rdig.pl 1.1.1.1" should give "host-1-1-1-1.abc.net" - if not, your 
setup won't work

"dig host-1-1-1-1.abc.net" should give "1.1.1.1" - if not, your setup 
SHOULD not work

2) See "man getaddrinfo"

Best regards,

 -- David

----------8<-----------------rdig--------------------

#!/usr/bin/perl -w

if (!defined $ARGV[0]) {
  print STDERR "You have to pass an IP address to reverse-resolve\n";
  exit 1;
}

if ($ARGV[0] =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) {
  $reverse="$4.$3.$2.$1.in-addr.arpa";
  open(PIPE,"/usr/bin/dig $reverse PTR|") or die "Could not open pipe: 
$!\n";
  @lines = <PIPE>;
  close(PIPE) or die "Could not close pipe: $!\n";
  foreach $line (@lines) {
    print $line;
  }
  exit 0;
}
else {
  print STDERR "The passed argument $ARGV[0] is not an IP address\n";
  exit 1;
}