Tom Alsberg wrote:
Does it double-verify the DNS record before it trusts this to be the hostname (first checking the IP address in in_addr.arpa and then checking that the hostname indeed maps back to the same IP address)?
Actually, this level of paranoia is not useful, since it will fail to correctly operate in the very real case of co-hosted boxes. There can only be (in practice) a single mapping from IP => hostname (via in-addr.arpa), but there can be virtually limitless hostname => IP maps. There were a few SMTP servers which supported "round-trip DNS checks" but by now, hopefully, the sysadmins running those boxes have been killed off by the userbase eager to actually receive e-mail.
If PAM authentication supports different schemes based on source IP address, that is the best you can hope for. The only trustworthy value in a point-to-point TCP connection is IP (since it is impossible to spoof that due to the need to be able to get the response packets back later).
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748