> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka <li...@gjunka.com> wrote: > On 21/07/2018 11:03, Chad Jacob Milios wrote: >>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <ja...@catflap.org> wrote: >>> >>> Dimitry Andric <d...@freebsd.org> wrote: >>> >>>> For each incoming IP address, sshd does a reverse lookup, and if that >>>> results in a hostname, it does another lookup of that hostname, to see >>>> if *that* result matches the original incoming IP address. If it does >>>> not, you get this scary warning in syslog about a "possible break-in >>>> attempt!". >>>> >>>> In my opinion, this is fairly misleading, since almost always the actual >>>> cause is badly configured DNS, a very common occurrence. In addition, >>>> matching forward and reverse DNS records is no guarantee at all that the >>>> incoming IP address is in any way trustworthy. >>> I'm not sure which version this made it into, but they actually removed this >>> over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2: >>> >>> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba >>> | Author: dtuc...@openbsd.org <dtuc...@openbsd.org> >>> | Date: Wed Jun 15 00:40:40 2016 +0000 >>> | >>> | upstream commit >>> | >>> | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message >>> | about forward and reverse DNS not matching. We haven't supported >>> IP-based >>> | auth methods for a very long time so it's now misleading. part of >>> bz#2585, >>> | ok markus@ >>> | >>> | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 >>> >>> cheers, Jamie >> adding: >> >> UseDNS no >> >> has the added benefit of avoiding a grueling delay when YOU are the one >> behind an IP address with a misconfigured reverse DNS mapping (which is >> horribly common on consumer networks). It goes into /etc/ssh/sshd_config and >> has been among my initial configuration to every FreeBSD box i’ve stood up >> for a decade. >> >> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) has >> actually switched to adopt this, UseDNS no, as their default configuration >> for, i think its been a couple years now. This is in addition to dropping >> the message from their log output if UseDNS yes. >> >> There is no point to this foolishly alarming message. Be mindful of the >> OTHER ways you must surely have in place to keep your sshd hard against >> attack. >> > > Good to know. But the documentation says setting to no prevents from using > DNS in known_hosts. When I look into my known_hosts I see many dns-only > names, e.g. github.com among others. > > GrzegorzJ
In which man page or web page are you seeing this information? _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
