On 21/07/2018 19:59, Miroslav Lachman wrote:
Grzegorz Junka wrote on 2018/07/21 21:29:
[...]
There is no point to this foolishly alarming message. Be mindful
of the OTHER ways you must surely have in place to keep your sshd
hard against attack.
Good to know. But the documentation says setting to no prevents
from using DNS in known_hosts. When I look into my known_hosts I
see many dns-only names, e.g. github.com among others.
GrzegorzJ
In which man page or web page are you seeing this information?
> man sshd_config
UseDNS Specifies whether sshd(8) should look up the remote
host name,
and to check that the resolved host name for the remote IP
address maps back to the very same IP address.
If this option is set to “no”, then only addresses and
not host
names may be used in ~/.ssh/known_hosts from and
sshd_config
Match Host directives. The default is “yes”.
What version of FreeBSD do you have?
On FreeBSD 10.4 there is
UseDNS Specifies whether sshd(8) should look up the remote host name,
and to check that the resolved host name for the remote IP
address maps back to the very same IP address.
If this option is set to “no”, then only addresses and not host
names may be used in ~/.ssh/authorized_keys from and sshd_config
Match Host directives. The default is “yes”.
And I don't think sshd_config should have any impact on client
configuration (known_hosts). It is controlled by ssh_config.
It's from 11.1-RELEASE-p1. I would hope that 11.1p1 is more correct than
10.4?
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
