IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SSH domain name misdirection



> I can ssh from one machine to another within the LAN without any 
> problem:

>         $ ssh user@hostname

> However, my aim is to have a host on the LAN to be the server for the
> client laptop when it is not on the LAN, but is remote.  To set this
> up and test it out, I've been trying to establish a ssh connection
> between machines on my LAN by using the domain name:

> 	$ ssh user@domainname

> The result is a permission denied message from the nameserver
> provided by my web hosting service.  It seems that the name server
> directs the ssh login query to my website, which has the same
> domainname as my machines, and the website does not recognize the
> password.  Or at least this is my guess.

That sounds inconsistent.

ssh, like most protocols, fundamentally needs to connect to an IP
address.  Also like most protocols, when given a DNS name, it tries to
map it to address(es) to connect to.

This lookup is the only place DNS is involved (at that point, at least;
the server may try to reverse-map the client IP, or your implementation
may try to do RFC4255 lookups, but those happen later).  If your
nameserver is returning permission denied (which presumably means an
RCODE of 5 in the response) for this (a) I'd be quite surprised, since
that kind of lookup is DNS's raison d'etre, and (b) you wouldn't be
getting a connection at all, so the rest of it wouldn't matter.

[out-of-order quote]
> I don't here provide specific information because my question is a
> general one about how one sets up a situation such as I describe.

Lack of concreteness makes it difficult to give examples.  I'll write
as though your domain is example.org.

My best guess is that the DNS is working just fine and doing exactly
what it's designed to do.  Many domains, probably including yours, give
their domain an address pointing to their webserver, in order to make
http://example.org/ work "the same as" http://www.example.org/.  When
you do ssh user%example.org@localhost, the DOS does what it's designed to and
maps that name to the address it's configured to, which is, of course,
that of your webserver.

Note that, to the DNS, the distinction between "domain" and "host" that
many people seem to have in their minds does not exist.  The DNS is a
tree of nodes, which may or may not have addresses and may or may not
have sub-nodes under them.

If your ssh client handles SRV records, it may work to set up an SRV
record (see RFC 2782).  This shouldn't work, though, bceause the ssh
spec does not include a definition for the user of SRV (see 2782
again, and the lack of an SRV spec in the ssh RFCs).

> How do I get the nameserver to direct login queries to my local
> router so that it then redirects the query to the proper machine on
> the LAN.

(I'm going to assume that's a question, despite the non-question
punctuation.)

You would have to change the address in the DNS for your domain.  This
will, however, also affect Web use of http://domainname/.  If you're
willing to let that break, this is easy; otherwise, you'll have to come
up with something else.

Personally, I would deal with this in the ssh client configuration,
with code in .moussh/config like

if [lc host] == "domainname"
  connect-to = "incoming-ssh.domainname"
endif

and then give incoming-ssh.domainname the appropriate address(es).

But few ssh client implementations provide that much configurability.

> I have the (dynamic, I assume) IP address for my router assigned to
> it by my ISP. I've tried without luck:

>   	$ ssh user@routerIPaddress

If it really is just a router, this will not do anything useful,
because it will try to connect to the router, not the target host.
However, since you say it's a home LAN, your "router" is probably a lot
more than a router - it probably does NAT and firewalling as well.  In
this case, you will have to configure it to pass the incoming
connection on to the machine that's supposed to receive it before it
has any chance of working.

Assuming you've done that (which, if it's a typical consumer-grade
locked-down box, can be difficult to verify)....

If the address in question is globally routed, this should work; if it
doesn't, I suspect the provider is filtering inbound connection
attempts.  If your provider is assigning you RFC1918 addresses, you
should either get them to fix that or switch providers, because they're
NATting you and what you want to do can't be done (at all) through NAT
without the cooperation of the NAT administration.  (This actually
applies to your border NAT as well, but I'm assuming that in that case
you _are_ "the NAT administration".)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



Home | Main Index | Thread Index | Old Index