Optional Configuration Settings
To make the host-based authentication more secure, you may want to consider the following optional configuration settings:
- With the
keywords in the
file you can filter the
- If you want to allow only global configuration files (
/etc/), make sure that you have the following entry in your
After this modification the
.rhosts files will not be used in host-based authentication.
- To force an exact match between the hostname that the client sends to the server and the client's DNS entry, make sure that you have the following definition in your
In this case, make sure the
/etc/hosts file has the fully qualified hostname listed before the short hostname, for example:
220.127.116.11 client.example.com client
Even if you are not using
/etc/hosts as your primary resolver, you may need to add entries to it for the client and the server to allow them to resolve each other's fully qualified domain names (if they are not able to do so otherwise).
Please note that when
HostbasedAuthForceClientHostnameDNSMatch is used, host-based authentication through NAT (Network Address Translation) will not work.
[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]
Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.