> > OpenSSH bases its decision on the length of a hostname in utmp record,
with a catch. At least on Linux, UT_HOSTSIZE is 256 but MAXHOSTNAMELEN > in kernel is set to 64. OpenSSH uses the latter, not the former. So if > your hostname is shorter than 64 characters, it will be canonicalized > and provided to PAM stack as rhost. If not, your IP address will be > provided. AFAIK (correct me if I am wrong here) in case of OpenSSH it depends on whether UseDNS is on or off. If off then connecting IP address is passed as rhost, if on then it attempts to get rDNS for it and (if successful) pass it further, these length limitations you mention apply already after this. > > > On the other hand to even spoof a remote host attacker needs to know which >> host/IP is allowed to access and also which form is entered into LDAP. >> > It just need to be able to connect to your system multiple times, that's > all. Can you please elaborate on this one? Not sure I understand exactly what you meant. -- Best regards, Alexey Kamenskiy
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
