I'm using fedora 9 x86_64 edition, with openssh 5.0p1(the latest version available in fedora repositories. In the server configuration file /etc/ssh/sshd_config, I appended the following line:
AllowUsers user1@host1
Where user1 is one of the user accounts on my F9 box and host1 is a computer on my LAN. I configured my F9 box to be a wins server(with the aid of samba), updated my /etc/nsswitch.conf file accordingly to use wins as one means of resolving names. I can ping host1 from my F9 box, which proves the name resolution works correctly as expected.
However sshd seems not to use wins(even if it's mentioned in /etc/nsswitch.conf as means to resolve name) to resolve the hostname host1. If I try to access my F9 box from host1, I get an access denied message. However if I substitute the IP address for host1 in /etc/ssh/sshd_config, sshd recognizes the host effectively and allows me to connect to my F9 box from host1.
I've made another trail, by disabling the wins server(just for the simplicity of my trial) and hard binding host1 with an IP address in /etc/hosts(; for this trial also I gave host1 a static IP). Then I noticed some strange behaviour:

If I write the host specification in /etc/hosts on the form:
<IP address> host1 <other alias names>
sshd recognizes the hostname correctly and allows the connection accordingly.
On the other hand, if I write the host specification on the form:
<IP address> <list of alias hostnames> host1 [another list of alias hostnames]
sshd can't recognize the hostname and hence prevents the connection.

This means that host1 must be the first name directly following the IP address; if it's preceded by any other hostname, it's discarded. i.e. sshd only recognizes the first host name in the list of aliases an IP address may have.
I played with the UseDNS option in the /etc/ssh/sshd_config file by toggling it through yes and no; in both cases I had the same behaviour.
I don't know exactly but I think, if I man't missing anything, that this may be a wrong behaviour for sshd to resolve names. It seems it doesn't follow the means specified in /etc/nsswitch.conf. Moreover it can't resolve all hostnames(specifically aliases) from the /etc/hosts file.
So before I file a bug about openssh, I need to know if I'm missing anything, or if anyone else has encountered the same behaviour.
Thanks for your cooperation.

Samba is responsible for WINS stuff if you have it setup and nmb service is running.


su -
chkconfig --list | grep smb
chkconfig --list | grep nmb
service smb status
service nmb status

If neither is on, then:

chkconfig smb on
chkconfig nmb on
service nmb start
service smb start

Thanks marcrblevins, but I already have these services on. If you review my post well, you'll find that I could ping host1 successfully from my F9 box after setting up samba(, specifically nmb, as you've mentioned,) to act as a WINS server. I even inspected wins.dat in /var/lib/samba/ and found it could grab the IP address of host1 perfectly. I think smb isn't needed in my case at all, as I don't currently intend to share anything from my F9 box to other machines on the network.
So I've no name resolution problems with host1 after listing wins as means to resolve hostnames in /etc/nsswitch.conf, except with sshd. sshd never succeeds to resolve the name, which seemingly means that it doesn't follow the methods defined in /etc/nsswitch.conf.
I just need a confirmation about this information. If someone has a similar configuration and has sshd resolving hostnames from wins(or even from alias hostnames other than the first hostname in an entry in /etc/hosts), I'll be glad to hear about it.

Try editing /etc/resolv.conf and make required entry that maps to Nameserver

#cat /etc/resolv.conf
search <Domainame>
nameserver <space seperated ipaddr of nameservers>

example

#cat /etc/resolv.conf
search mshome.net
nameserver 192.168.0.253 192.168.0.254

But I've no domain name to list in a search option in /etc/resolv.conf. Moreover, it's obvious once again that it isn't a domain name problem, since ping works perfectly with the hostname.
I think if ping works with no problems, so should any other tool on the system that uses normal hostname lookup.

"I configured my F9 box to be a wins server(with the aid of samba), updated my /etc/nsswitch.conf file accordingly to use wins as one means of resolving names. I can ping host1 from my F9 box, which proves the name resolution works correctly as expected."

so you are using wins for name resolving right (its a windows implementation of nameserver) try adding that to resolv.conf and try

OK. But I've no specific domain name. I gave my F9 box no specific name; it still has the default localhost.localdomain. So do you mean that I should write
search localdomain
in /etc/resolv.conf? Moreover /var/lib/samba/wins.dat lists only the hostname, with no suffixed domain names. Appreciating if you can clarify given these information...

No dude default domain name for wins is "MSHOME.NET"

try that.... nad revert with any feedback....

Sorry for being late to reply but I've been quite busy for the past few days.
Fine, as I expected, didn't work out. Actually I guessed that from the beginning since a tool like ping didn't need the "search mshome.net" line in /etc/resolv.conf.
I think it may be now confirmed as a bug. I just don't know if I should post it at redhat or the openSSH team.

I've posted a bug for this at https://bugzilla.redhat.com/show_bug.cgi?id=461002.
I was then confronted by that fact
Of course sshd needs to reverse map the ip adress of the client, how it could
know the client machine hostname? If the wins nsswitch module doesn't provide
correct reverse map then you cannot use hostnames in the AllowUsers statement
in the configuration.
So the question now is: Does anyone know if the wins nsswitch module provides reverse mapping for IP addresses to hostnames or not?
Appreciating your feedback.

AllowUsers user1@host1

http://www.freebsd.org/doc/en/books/handbook/openssh.html

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

Think it expect you to type in the IP Address for host1 specifically.

I was wrong.
Sounds like it has to be real domain names....
http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current


A pattern consists of zero or more non-whitespace characters, `*' (a
wildcard that matches zero or more characters), or `?' (a wildcard that
matches exactly one character). For example, to specify a set of decla-
rations for any host in the ``.co.uk'' set of domains, the following pat-
tern could be used:

Host *.co.uk

The following pattern would match any host in the 192.168.0.[0-9] network
range:

Host 192.168.0.?

A pattern-list is a comma-separated list of patterns. Patterns within
pattern-lists may be negated by preceding them with an exclamation mark
(`!'). For example, to allow a key to be used from anywhere within an
organisation except from the ``dialup'' pool, the following entry (in au-
thorized_keys) could be used:

from="!*.dialup.example.com,*.example.com"

That's strange. Is it logical to only have the capability to specify domain names without being able to specify a single hostname?
Anyway, I give up. I've comprehended it as it is.