Re: Possible break-in attempt?

Sat, 21 Jul 2018 13:34:30 -0700 

On 21 Jul 2018, at 21:29, Grzegorz Junka <li...@gjunka.com> wrote:
> 
> On 21/07/2018 12:05, Chad Jacob Milios wrote:
>>> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka <li...@gjunka.com> wrote:
>>> On 21/07/2018 11:03, Chad Jacob Milios wrote:
>>>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <ja...@catflap.org> wrote:
...
>>>> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) 
>>>> has actually switched to adopt this, UseDNS no, as their default 
>>>> configuration for, i think its been a couple years now. This is in 
>>>> addition to dropping the message from their log output if UseDNS yes.
>>>> 
>>>> There is no point to this foolishly alarming message. Be mindful of the 
>>>> OTHER ways you must surely have in place to keep your sshd hard against 
>>>> attack.
>>>> 
>>> Good to know. But the documentation says setting to no prevents from using 
>>> DNS in known_hosts. When I look into my known_hosts I see many dns-only 
>>> names, e.g. github.com among others.
>>> 
>>> GrzegorzJ
>> In which man page or web page are you seeing this information?
> 
> > man sshd_config
> 
>      UseDNS  Specifies whether sshd(8) should look up the remote host name,
>              and to check that the resolved host name for the remote IP
>              address maps back to the very same IP address.
> 
>              If this option is set to “no”, then only addresses and not host
>              names may be used in ~/.ssh/known_hosts from and sshd_config
>              Match Host directives.  The default is “yes”.

Interestingly, this documentation is an outdated version, and wrong. :)
It was reported upstream:

https://bugzilla.mindrot.org/show_bug.cgi?id=2554

and fixed here:

https://github.com/openssh/openssh-portable/commit/0235a5fa67fcac51adb564cba69011a535f86f6b

The documentation is now:

     UseDNS  Specifies whether sshd(8) should look up the remote host name,
             and to check that the resolved host name for the remote IP
             address maps back to the very same IP address.

             If this option is set to no, then only addresses and not host
             names may be used in ~/.ssh/authorized_keys from and sshd_config
             Match Host directives.  The default is "yes".

E.g., it affects only authorized_keys files, but I'm not sure if there
is such a thing as a "from" directive in those (and neither could I find
any documentation about "from" directives in known_hosts files either).

-Dimitry

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to