Grzegorz Junka wrote on 2018/07/21 21:29:
[...]
There is no point to this foolishly alarming message. Be mindful of
the OTHER ways you must surely have in place to keep your sshd hard
against attack.
Good to know. But the documentation says setting to no prevents from
using DNS in known_hosts. When I look into my known_hosts I see many
dns-only names, e.g. github.com among others.
GrzegorzJ
In which man page or web page are you seeing this information?
> man sshd_config
UseDNS Specifies whether sshd(8) should look up the remote host
name,
and to check that the resolved host name for the remote IP
address maps back to the very same IP address.
If this option is set to “no”, then only addresses and not
host
names may be used in ~/.ssh/known_hosts from and sshd_config
Match Host directives. The default is “yes”.
What version of FreeBSD do you have?
On FreeBSD 10.4 there is
UseDNS Specifies whether sshd(8) should look up the remote host name,
and to check that the resolved host name for the remote IP
address maps back to the very same IP address.
If this option is set to “no”, then only addresses and not host
names may be used in ~/.ssh/authorized_keys from and sshd_config
Match Host directives. The default is “yes”.
And I don't think sshd_config should have any impact on client
configuration (known_hosts). It is controlled by ssh_config.
Miroslav Lachman
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
