AllowUsers *@*.local in /etc/ssh/sshd_config does not work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
avahi (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
openssh (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I installed Ubuntu Mate 16.04 on two of my computers. The software has been brought uptodate to at least May 2017.
They are both on my local wifi network and should both be using Zeroconf/
I have the same username on both machines.
I copied /usr/share/
to /etc/avahi/services
$ sudo service avahi-daemon restart
I installed sshd on "faustino"
$ sudo apt-get install openssh-server
With the default /etc/ssh/
$ ssh -v localhost /* from faustino */
$ ssh -v faustino.local /* from faustino */
$ ssh -v faustino.local /* from the other computer */
I modified /etc/ssh/
LogLevel VERBOSE
PermitRootLogin no
AllowUsers *@*.local
$ sudo systemctl restart ssh
Now I get, for example
$ ssh faustino.local
<email address hidden>'s password:
Permission denied, please try again.
That fails from the same machine, from another machine and if I try ssh localhost. All those worked before I put those directives in.
I expected all attempts to ssh from .local addresses to work and all others to fail.
Likely the reason this doesn't work, is because nss-mdns does not resolve reverse DNS for IP addresses other than the link local range (169.254.0.0/16). This is by design and per-spec.
So this will never work, you'll need to look at either:
(1) using the IP address range (according to the sshd_config man page you can use a CIDR range), or
(2) setting up a local real DNS zone synchronised with your DHCP server so that it sets up something like hostname.lan with matching reverse DNS.