/etc/hosts layout
Maurice Batey
format in AllowUsers in sshd_config, it has been suggested in
https://qa.mandriva.com/show_bug.cgi?id=47613
that the /etc/hosts sample line:
192.168.0.201 desktop.mab.unregistered desktop
should be replaced by:
192.168.0.201 desktop desktop.mab.unregistered
Anyone know if that change would upset any other mechanism that
consults /etc/hosts?
(The sshd_config AllowUsers name resolution code gets it wrong with
the first version; OK with second...)
--
/\/\aurice
Linux Mandriva 2.6.27.10-desktop-1mnb (i686) 2009.0 32-bit
KDE 3.5.10 Virtualbox 2.1.2
(Replace "nomail.afraid" by "bcs" to reply by email)
David W. Hodgins
> that the /etc/hosts sample line:
> 192.168.0.201 desktop.mab.unregistered desktop
> should be replaced by:
> 192.168.0.201 desktop desktop.mab.unregistered
> Anyone know if that change would upset any other mechanism that
> consults /etc/hosts?
That's the opposite of what I understand from reading "man hosts". No
idea why that would affect sshd, or what else it might affect.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Maurice Batey
> That's the opposite of what I understand from reading "man hosts".
127.0.0.1 localhost
192.168.1.10 foo.mydomain.org foo
192.168.1.13 bar.mydomain.org bar
146.82.138.7 master.debian.org master
209.237.226.90 www.opensource.org
That's precisely what I said under that Bugzilla ticket.
The problem with sshd that I tried to address was that if (when using
a "man hosts" /etc/hosts layout) - in sshd_config one used e.g.
AllowUsers fred@foobar
then sshd will foul up on the password check when receiving an ssh
request.
This can be overcome by either:
(1) In sshd_config, using the form:
AllowUsers fr...@foo.mydomain.org or
AllowUsers fr...@192.168.1.10 or
(2) Change the /etc/hosts layout to:
192.168.1.10 foo foo.mydomain.org
I've tried tha latter, and it does work. So far nothing else has
complained about the different /etc/hosts layout.
> No idea why that would affect sshd, or what else it might affect.
sshd appears to fail to find the 'foo' name in /etc/hosts unless
it's immediately after the IP address.
(Or perhaps it fails to select the first component of
foo.mydomain.org.)
ssh does not appear to have the same problem with /etc/hosts when
handling e.g. "ssh fred@foo".
Who knows what other mechanism consults /etc/hosts?
By the way, "man hosts" doesn't actually say that tha example
/etc/hosts layout is the only valid one, does it?
What do you think, BT?!
--
/\/\aurice
Bit Twister
> (1) In sshd_config, using the form:
You might try what you find here.
http://www.serverwatch.com/tutorials/article.php/3803416
> What do you think, BT?!
man page is the definitive work for me. :)
$ ssh $USER@pm91
Warning: Permanently added 'pm91' (RSA) to the list of known hosts.
Last login: Tue Feb 17 13:22:14 2009 from wm81.home.test
[bittwister@pm91 ~]$
$ grep pm91 /etc/hosts
192.168.1.207 pm91.home.test pm91
Probably the reason for me is I installed bind and configured named.
When I had 2 computerseach with several distributions, I was constantly
having to change in/outbound servers. Solution was create an alias
mail in named. Now when I run a mail client, they have no idea about
node name.
Here is a snippet from my install_changes script followed by my script
to read /etc/hosts and set forward/reverse look up files.
Install_changes will munge /etc/resolv.conf and
/etc/sysconfig/network-scripts/ifcfg-ethX config files.
#********************************************************
#* check for bind/named installed and set it up if so
#********************************************************
if [ -e /usr/sbin/named ] ; then
_fn=/var/lib/named/etc/named.conf
if [ ! -e ${_fn}_vorig ] ; then
echo "fixing $_fn"
cp $_fn ${_fn}_vorig
/bin/cp /dev/null $_fn
while read -r line ; do
set -- $line
if [ "$1" = "query-source" ] ; then
line="query-source address * port *;"
fi
if [ "$2" = "forwarders" ] ; then
line="forwarders { 208.67.222.222; 208.67.220.220; };"
fi
echo "$line" >> $_fn
done < ${_fn}_vorig
echo "
zone \"$_domain\" IN {
type master;
file \"master/home.zone\";
allow-update { none; };
};
zone \"1.168.192.in-addr.arpa\" IN {
type master;
file \"reverse/home.reversed\";
allow-update { none; };
};
" >> $_fn
/local/bin/set_home_zone
if [ ! -e /etc/resolv.conf_vorig ] ; then
cp /etc/resolv.conf /etc/resolv.conf_vorig
fi
/bin/cp /etc/resolvconf/resolv.conf.d/head /etc/resolv.conf
echo "nameserver $(hostname --ip-address)" >> /etc/resolv.conf
echo "nameserver 208.67.222.222" >> /etc/resolv.conf
echo "search $_domain" >> /etc/resov.conf
if [ ! -e /etc/init.d/restart_ck ] ; then
ln -s /local/bin/restart_ck /etc/init.d
chkconfig --add restart_ck
fi
for _in_fn in /etc/sysconfig/network-scripts/ifcfg-eth? ; do
/bin/cp /dev/null /tmp/ifcfg
chmod 755 /tmp/ifcfg
while read -r line ; do
set -- $line
_sub=${line:0:4}
if [ "$_sub" = "DNS1" ] ; then
line=DNS1=$(hostname --ip-address)
fi
if [ "$_line" = "PEERDNS=yes" ] ; then
_line=PEERDNS=no
fi
if [ "$_line" = "PEERYP=yes" ] ; then
_line=PEERYP=no
fi
echo "$line" >> /tmp/ifcfg
done < $_in_fn
_cnt=$(grep -c DOMAIN /tmp/ifcfg)
if [ $_cnt -eq 0 ] ; then
echo "DOMAIN=$_domain" >> /tmp/ifcfg
fi
/bin/cp /tmp/ifcfg $_in_fn
done
fi # end if [ ! -e ${_fn}_vorig ]
fi # end if [ -e /usr/sbin/named ]
----------------- end of install_changes snippet ------------------------------
------------- next is set_home_zone script ----------------------------------
#!/bin/bash
#*******************************************************************
#*
#* set_home_zone - create named/bind home.(zone/reverse) files
#* from /etc/hosts
#*
#* Note: _out_fn names have to match zone names in /etc/named.conf
#*
#* set_home_zone expects your /etc/hosts to look something like
#*
#* $ head -4 /etc/hosts
#* 127.0.0.1 localhost.localdomain localhost
#* 192.168.1.11 fw.home.invalid fw
#* 192.168.1.130 wb.home.invalid wb
#* 192.168.1.131 beta.home.invalid beta
#*
#* and names do not contain an underscore
#*
#* See http://www.rfc-editor.org/rfc/rfc2606.txt
#*
#* Assume you called this script from install_changes
#* and have the xmessage package installed.
#*
#* Can be called anytime /etc/hosts files changes.
#*
#*******************************************************************
_debug=0 # 0=production 1=check/testing
_exe=$0
_log_fn=$(echo /tmp/$(basename $_exe).log)
_time_out="-timeout 16"
echo "
running $_exe
"
#*************************************
#* get this node's domain, tld2,
#* name and ip
#*************************************
_dom=$(hostname --domain)
_ns=$(hostname --fqdn)
_alias=$(hostname --alias)
set -- $(IFS='.'; echo $_dom)
_tld2=$2
set -- $(echo "$(grep $_ns /etc/hosts)")
_ns_ip=$1
_zone_loc=/var/lib/named/var/named/master
_zone_fn=home.zone
_rev_loc=/var/lib/named/var/named/reverse
_rev_fn=home.reversed
if [ $_debug -gt 0 ] ; then # we create files in our account
_zone_loc=$PWD # for testing
_rev_loc=$PWD
_time_out="-timeout 6"
fi
#*************************************
#* build forward zone
#*************************************
_out_fn=$_zone_loc/$_zone_fn
echo "\$TTL 1D
@ IN SOA ${_ns}. admin.${_ns}. (
$(date +%Y%m%d)01 ; Serial num yyymmddnn
1D ; Refresh
6H ; Retry
1W ; Expire
1H ; Minimum TTL
)
; DNS Servers
IN NS ${_ns}.
;
; Machine Names
mail IN CNAME ${_ns}.
news IN CNAME ${_ns}.
localhost A 127.0.0.1" > $_out_fn
while read line
do
eval set -- $line
_ip=$1
_node=$2
if [ "${_ip:0:3}" = "192" ] ; then
if [ "${#_node}" -lt 15 ] ; then
printf "%s.\t\tIN\tA\t%s\n" $_node $1 >> $_out_fn
else
printf "%s.\tIN\tA\t%s\n" $_node $1 >> $_out_fn
fi
fi
done < /etc/hosts
chmod 644 $_out_fn
#*************************************
#* build reverse zone
#*************************************
_out_fn=$_rev_loc/$_rev_fn
echo "\$TTL 1D
@ IN SOA ${_ns}. ${_ns}.(
$(date +%Y%m%d)01 ; Serial num yyymmddnn
8H ; Refresh
4H ; Retry
1W ; Expire
1D ; Minimum TTL
)
;
NS ${_ns}.
; Machine Ip addresses " > $_out_fn
while read line
do
eval set -- $line
_fq=$2
set -- $(IFS='.'; echo $1)
if [ "$2" = "168" ] ; then
printf "%s\tIN\tPTR\t%s.\n" $4 $_fq >> $_out_fn
fi
done < /etc/hosts
chmod 644 $_out_fn
#*************************************
#* test results
#*************************************
if [ $_debug -eq 0 ] ; then
_cmd="named-checkconf -t /var/lib/named /etc/named.conf"
echo "# $_cmd "
$_cmd > $_log_fn
if [ $? -ne 0 ] ; then
echo "$_cmd failure" >> $_log_fn
xmessage $_time_out-display :0 -file $_log_fn &
fi
cat $_log_fn
printf "\n# service named restart\n"
service named restart
printf "\n# nslookup $(hostname --fqdn )\n"
nslookup $(hostname --fqdn)
printf "\n# nslookup $(hostname --alias)\n"
nslookup $(hostname --alias)
printf "\n# nslookup $_ns_ip\n"
nslookup $_ns_ip
fi
_cmd="named-checkzone -t $_zone_loc ${_dom} $_zone_fn"
echo "# $_cmd "
$_cmd > $_log_fn
if [ $? -ne 0 ] ; then
echo "$_cmd failure" >> $_log_fn
echo "$_zone_loc/$_zone_fn" >> $_log_fn
xmessage $_time_out -display :0 -file $_log_fn &
fi
cat $_log_fn
printf "\n# cat -n %s/%s\n" $_zone_loc $_zone_fn
cat -n $_zone_loc/$_zone_fn
_cmd="named-checkzone -t $_rev_loc 1.168.192.in-addr.arpa $_rev_fn"
echo "$ $_cmd"
$_cmd > $_log_fn 2>&1
if [ $? -ne 0 ] ; then
echo "$_cmd failure" >> $_log_fn
echo "$_zone_loc/$_rev_fn" >> $_log_fn
xmessage $_time_out -display :0 -file $_log_fn &
fi
cat $_log_fn
printf "\n$ cat -n %s/%s\n" $_rev_loc $_rev_fn
cat -n $_rev_loc/$_rev_fn
_cmd="grep ${_dom} /etc/named.conf"
_cnt=$($_cmd | grep -c { )
if [ $_cnt -ne 1 ] ; then
echo "ERROR: " > $_log_fn
echo "/etc/named.conf does not contain a" >> $_log_fn
echo "zone \"${_dom}\" IN {" >> $_log_fn
echo "stanza" >> $_log_fn
echo " " >> $_log_fn
xmessage $_time_out -display :0 -file $_log_fn &
cat $_log_fn
fi
/bin/rm -f $_log_fn
echo "
completed $_exe
"
#**************** end set_home_zone *****************
Bit Twister
> By the way, "man hosts" doesn't actually say that tha example
> /etc/hosts layout is the only valid one, does it?
>
> What do you think, BT?!
I assume you have a search line in /etc/resolv.conf and
modified /etc/nsswitch.conf to something like
$ grep hosts: /etc/nsswitch.conf
hosts: files dns
Oh yeah, I am not using tha allow command in my ssh config, so my setup
is not quite like yours so I do not know if bind/named is a solution.
Aragorn
wrote in /alt.os.linux.mandriva:/
> Who knows what other mechanism consults /etc/hosts?
Anything that requires name resolution. Normally, you would have /hosts/
listed before /bin/ in your */etc/host.conf* file. So if you want to ping
a local box on your LAN for instance by referencing its alias, it'll look
for the IP address in */etc/hosts,* and likewise for /ssh/ - i.e. the
client.
The hostname printed in your /bash/ prompt - i.e. your /$PS1/ environment
variable - also relies on */etc/hosts.* The "\h" gives you the alias,
while "\H" gives you the FDQN.
--
*Aragorn*
(registered GNU/Linux user #223157)
Maurice Batey
> The hostname printed in your /bash/ prompt - i.e. your /$PS1/ environment
> variable - also relies on */etc/hosts.*
Interestingly, that did not change wuth the /etc/hosts layout
reversed, i.e.
.192.168.0.201 desktop desktop.mab.unregistered
instead of:
192.168.0.201 desktop.mab.unregistered desktop
Maurice Batey
> I assume you have a search line in /etc/resolv.conf
cat /etc/resolv.conf
nameserver 192.168.0.1
search mab.unregistered
> modified /etc/nsswitch.conf to something like
>
> $ grep hosts: /etc/nsswitch.conf
> hosts: files dns
grep hosts: /etc/nsswitch.conf
hosts: mdns4_minimal files nis dns mdns4
Maurice Batey
> http://www.serverwatch.com/tutorials/article.php/3803416
That talks about an individual user's .ssh settings. (There is no
config file in my .ssh directory!)
The argument I have been having is in the system sshd area, w.r.t. the
sshd_config file.
Bit Twister
> On Thu, 19 Feb 2009 19:16:04 +0000, Bit Twister wrote:
>
>> I assume you have a search line in /etc/resolv.conf
>
> cat /etc/resolv.conf
> nameserver 192.168.0.1
> search mab.unregistered
>
>> modified /etc/nsswitch.conf to something like
>>
>> $ grep hosts: /etc/nsswitch.conf
>> hosts: files dns
>
> grep hosts: /etc/nsswitch.conf
> hosts: mdns4_minimal files nis dns mdns4
Changing that to my suggestion should speed look ups somewhat.
Bit Twister
> On Thu, 19 Feb 2009 18:56:19 +0000, Bit Twister wrote:
>
>> http://www.serverwatch.com/tutorials/article.php/3803416
>
> That talks about an individual user's .ssh settings. (There is no
> config file in my .ssh directory!)
Does not mean you can not create one. :(
Maurice Batey
>>> $ grep hosts: /etc/nsswitch.conf
>>> hosts: files dns
>>
>> grep hosts: /etc/nsswitch.conf
>> hosts: mdns4_minimal files nis dns mdns4
>
> Changing that to my suggestion should speed look ups somewhat.
OK, thanks, BT - will try that, but what is the purpose of the
other entries ("mdns4_minimal", "nis", "mdns4"), and why did Mandriva
put them there, I wonder...)
Bit Twister
> OK, thanks, BT - will try that, but what is the purpose of the
> other entries ("mdns4_minimal", "nis", "mdns4"),
Have you tried http://groups.google.com/advanced_search
mdns4_minimal in the first box?
First result's brief text was enough for me.
Then there is
http://www.google.com/search?hl=en&lr=lang_en&safe=off&q=nis
http://www.google.com/search?hl=en&lr=lang_en&safe=off&q=mdns4
> and why did Mandriva put them there, I wonder...)
Me too. Lots of Micro$oft'isms have been creeping in everywhere.
Maurice Batey
> In sshd_config, using the form:
>
> AllowUsers fr...@foo.mydomain.org ...
>
> sshd appears to fail to find the 'foo' name in /etc/hosts unless
> it's immediately after the IP address.
> (Or perhaps it fails to select the first component of
> foo.mydomain.org.)
The latter is my suspicion, as I realised one can use the form:
AllowUsers fred@foo*
i.e. where "foo* is an abbreviation of the full "foo.mydomain.org".
(Or "foo.", foo.mydomain", etc...)
I feel sshd should handle "fred@foo" by matching "foo" with the 1st
component of "foo.mydomain.org", but this view is not shared by the
Mandriva folk! (Or perhaps anyone else?)
In the meantime I'm happy to use the "fred@foo*" form...
Maurice Batey
> (2) Change the /etc/hosts layout to:
>
> 192.168.1.10 foo foo.mydomain.org
>
> I've tried tha latter, and it does work. So far nothing else has
> complained about the different /etc/hosts layout.
Spoke too soon! I've just found that both PC's where this change
was made had mysteriously lost their capacity to find the LAN
printer (or in the other case accept printing from the LAN)!
Restoring the / directory from backup taken just before those
changes restored full LAN printing function...
Maurice Batey
> http://www.google.com/search?hl=en&lr=lang_en&safe=off&q=mdns4
That was interesting. Seems some people are using the following mod:
files mdns4 [NOTFOUND=return] dns
or
files mdns4_minimal [NOTFOUND=return] dns mdns4
But as they don't seem to be able to make their minds up I'll stick
with your suggestion (files fns).
Thanks, BT!
Bit Twister
> On Fri, 20 Feb 2009 17:50:39 +0000, Bit Twister wrote:
>
>> http://www.google.com/search?hl=en&lr=lang_en&safe=off&q=mdns4
>
> That was interesting. Seems some people are using the following mod:
>
> files mdns4 [NOTFOUND=return] dns
> or
> files mdns4_minimal [NOTFOUND=return] dns mdns4
>
> But as they don't seem to be able to make their minds up I'll stick
> with your suggestion (files fns).
With Micro$oft malware able to create/run their own servers on a
compromised system, I would not want my linux boxes asking for any M$
DNS resolution on my LAN.
Robert Riches
Is Micro$oft what the 'm' in mdns4 stands for? If so, why
in the world is a Linux distribution attempting to use it?
What are you suggesting for the hosts line in nsswitch.conf?
Thanks.
--
Robert Riches
spamt...@verizon.net
(Yes, that is one of my email addresses.)
Bit Twister
> On 2009-02-21, Bit Twister <BitTw...@mouse-potato.com> wrote:
>>
>> With Micro$oft malware able to create/run their own servers on a
>> compromised system, I would not want my linux boxes asking for any M$
>> DNS resolution on my LAN.
>
> Is Micro$oft what the 'm' in mdns4 stands for?
No idea on my part. Not hard to believe it though.
> If so, why in the world is a Linux distribution attempting to use it?
Why would linux support samba. :-) Like it or not, the top
Distributions are trying to make interoperability seamless.
Beside Novell/Suse now Red Hat is getting tighter with Micro$oft
http://blogs.computerworld.com/whos_buddying_up_closer_with_microsoft_novell_or_red_hat
> What are you suggesting for the hosts line in nsswitch.conf?
It was in the thread. :)
For 2008.1
$ dif /etc/nsswitch.conf /etc/nsswitch.conf_vorig
34c34
< hosts: files dns
---
> hosts: files nis dns
Same for 2009.1
$ dif /2009_1/etc/nsswitch.conf /2009_1/etc/nsswitch.conf_vorig
34c34
< hosts: files dns
---
Aragorn
wrote in /alt.os.linux.mandriva:/
> On 21 Feb 2009 21:50:51 GMT, Robert Riches wrote:
>
>> If so, why in the world is a Linux distribution attempting to use it?
>
> Why would linux support samba. :-) [...]
Samba already exists for many years and was already used in other UNIX
systems to offer network storage access and remote printer access to
Windows in the days of Windows 3.11 For Workgroups.
When I was working at Town Hall in 1995, the computer I was sitting at was
an /i286/ running MS-DOS 6.22 and some Microsoft LAN client protocol that
connected to an /i486/ UNIX server with SCSI drives. The WFW 3.11 was
installed centrally on the UNIX server - with only a few of the Windows
files on the client PCs - so that they wouldn't have to pay for a Windows
license for each and every PC in the building. The UNIX machine also had
terminals attached to it for access to the national register.
Once logged in you could start Windows, and then you could use the Windows
filemanager to peruse the contents of two "drives" - I think they were "X:"
and "Y:" - of which one contained shared MS Word files and the other one
contained the files you would normally find in the *C:\WINDOWS* directory
on a DOS/Windows PC.
A couple of years later I heard they had switched over to a Windows NT 4.0
server and Windows 95/98 clients. Those have in the meantime again been
replaced with WinXP PCs. I don't know whether they still have the UNIX
machine, but the town library - which falls under the management of Town
Hall - also had a UNIX machine with terminals, and the local hospital has a
similar machine, and still uses it.
David W. Hodgins
> Is Micro$oft what the 'm' in mdns4 stands for? If so, why
> in the world is a Linux distribution attempting to use it?
The mdns stands for Apple's "Multicast domain name system".
See http://en.wikipedia.org/wiki/Zeroconf for more info.
> What are you suggesting for the hosts line in nsswitch.conf?
hosts: files dns