Have the sshd host strings that are present in /var/log/auth.log been validated by sshd?

Question

Since the log messages are written by the sshd daemon after an established connection, then my understanding is that the host strings have already been validated by the sshd daemon since the log records would not be in there since the /var/log/auth.log has messages regarding the sshd login attempts after host validation happens.

Is this correct?

Sample log messages:

Sep  8 06:28:55 boxhost sshd[29013]: Invalid user teamspeak3 from 134.209.108.13 port 57936
Sep  8 06:29:51 boxhost sshd[29057]: Failed password for root from 112.85.42.188 port 62425 ssh2
Sep  8 06:29:52 boxhost sshd[29059]: Failed password for invalid user password123 from 103.101.49.6 port 56756 ssh2

In the above log lines there are ipv4 addresses but they could be ipv6 or host.com format host strings, i am inclined to say that since a connection was established before these messages appear in this log file, that they passed the sshd validation steps in order to establish connection.

Answer 1

Sep  8 06:28:55 boxhost sshd[29013]: Invalid user teamspeak3 from 134.209.108.13 port 57936

The IP address 134.209.108.13 is the IP address from the TCP connection as received by the ssh daemon. It is not "validated" by the ssh daemon in any other regard than that a successful TCP connection could be established with/from that IP address, i.e. the SYN-ACK-ACK steps were completed at the TCP/IP level and sufficient ssh protocol messages were exchanged over that IP connection to negotiate a cipher and to send "teamspeak3" as login name...

Once an IP connection exist there may be reverse DNS lookups by your system that converts that IP address to a hostname and which then gets logged , but I don't think sshd checks more rigorously and for instance if the forward record for the hostname returned by a reverse lookup exists and matches.