can't verify hostname: getaddrinfo...

Sun Aug 6 04:44:08 UTC 2006

It's seems a reverse DNS issue.
You could pass through this check setting UseDNS in sshd_config to No.

On 8/3/06, Ryan Golhar <golharam at umdnj.edu> wrote:
> Interesting.  If I do
>
> 'dig host-1.1.1.1.abc.net', I get:
>
> --BEGIN--
> ; <<>> DiG 9.2.4 <<>> host-1-1-1-1.abc.net
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4560
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;host-1-1-1-1.abc.net. IN   A
> --END
>
> However, if I use another entry from a user that works I get an Answer
> section.  So I suspect something with abc.net's DNS is causing this.
>
> If I use your rdig.pl script, I get a valid ANSWER section:
>
> ;; ANSWER SECTION:
> 101.173.149.24.in-addr.arpa. 26292 IN   PTR     host-1-1-1-1.abc.net
>
> If I use another ISP entry (mine for instance), I get a similar answer
> section, so I don't see a different with rdig.
>
> -----Original Message-----
> From: David Tonhofer [mailto:d.tonhofer at m-plify.com]
> Sent: Thursday, August 03, 2006 1:18 PM
> To: golharam at umdnj.edu; General Red Hat Linux discussion list
> Subject: Re: can't verify hostname: getaddrinfo...
>
>
> Ryan Golhar wrote:
> > I have a group of machines that are only accessible by users from
> > certain ISPs.  One of those ISPs, we'll call abc.net.  The example IP
> > address I will use is 1.1.1.1
> >
> > In my /etc/hosts.allow, I have:
> >
> > sshd: LOCAL, .abc.net
> >
> > This was working for some time, but somewhere along the last few weeks
>
> > or months stopped working, and I don't know why.
> >
> > /var/log/secure reports the following:
> >
> > sshd[7693]: warning: /etc/hosts.allow, line 10: can't verify hostname:
>
> > getaddrinfo(host-1-1-1-1.abc.net, AF_INET) failed
> >
> > sshd[7693]: refused connect from 1.1.1.1 (1.1.1.1)
> >
> > The users are real and were able to get access to these machines.
> > I've verified that I can get access to the machines from a different
> > ISP, in fact, most of the users can.  It just seems to be this 1
> > provider that these 2 users have.  Any ideas where I can start looking
>
> > to find the cause of this problem?
> >
> > Ryan
> >
> On a hunch, this seems to be a DNS problem, I don't know whether this is
>
> correct but does
> the lookup "IP address" -> "reverse address" -> "IP address" seems to
> fail, probably because
> the ISP has a messily configured DNS?
>
> 1) Try this on the command line (the 'rdig.pl' program is just a reverse
>
> lookup perl program that uses 'dig',
> see the attached program; use that or just execute 'dig
> 1.2.3.4.in-addr.arpa. PTR' instead of 'rdig.pl 4.3.2.1'
>
> "rdig.pl 1.1.1.1" should give "host-1-1-1-1.abc.net" - if not, your
> setup won't work
>
> "dig host-1-1-1-1.abc.net" should give "1.1.1.1" - if not, your setup
> SHOULD not work
>
> 2) See "man getaddrinfo"
>
> Best regards,
>
>  -- David
>
>
> ----------8<-----------------rdig--------------------
>
> #!/usr/bin/perl -w
>
> if (!defined $ARGV[0]) {
>   print STDERR "You have to pass an IP address to reverse-resolve\n";
>   exit 1;
> }
>
> if ($ARGV[0] =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/) {
>   $reverse="$4.$3.$2.$1.in-addr.arpa";
>   open(PIPE,"/usr/bin/dig $reverse PTR|") or die "Could not open pipe:
> $!\n";
>   @lines = <PIPE>;
>   close(PIPE) or die "Could not close pipe: $!\n";
>   foreach $line (@lines) {
>     print $line;
>   }
>   exit 0;
> }
> else {
>   print STDERR "The passed argument $ARGV[0] is not an IP address\n";
>   exit 1;
> }
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

-- 
Cleber P. de Souza