With the AllowSHosts and DenySHosts keywords in the sshd2_config file you can filter the .shosts, .rhosts, /etc/hosts.equiv and /etc/shosts.equiv entries.

If you want to allow only global configuration files (/etc/hosts.equiv and /etc/shosts.equiv), make sure that you have the following entry in your sshd2_config file:

IgnoreRhosts                   yes

After this modification the .shosts and .rhosts files will not be used in host-based authentication.

To force an exact match between the host name that the client sends to the server and the client's DNS entry, make sure that you have the following definition in your /opt/tectia/etc/sshd2_config file:

HostbasedAuthForceClientHostnameDNSMatch yes

In this case, make sure the /etc/hosts file has the fully qualified domain name listed before the short host name, for example:

123.123.123.123   client.example.com   client

Even if you are not using /etc/hosts as your primary resolver, you may need to add entries to it for the client and the server to allow them to resolve each other's fully qualified domain names (if they are not able to do so otherwise).

Please note that when HostbasedAuthForceClientHostnameDNSMatch is used, host-based authentication through NAT (Network Address Translation) will not work.