Dimitry Andric wrote this message on Sat, Jul 21, 2018 at 22:30 +0200:
> On 21 Jul 2018, at 21:29, Grzegorz Junka <li...@gjunka.com> wrote:
> >
> > On 21/07/2018 12:05, Chad Jacob Milios wrote:
> >>> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka <li...@gjunka.com> wrote:
> >>> On 21/07/2018 11:03, Chad Jacob Milios wrote:
> >>>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <ja...@catflap.org>
> >>>>> wrote:
> ...
> >>>> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD)
> >>>> has actually switched to adopt this, UseDNS no, as their default
> >>>> configuration for, i think its been a couple years now. This is in
> >>>> addition to dropping the message from their log output if UseDNS yes.
> >>>>
> >>>> There is no point to this foolishly alarming message. Be mindful of the
> >>>> OTHER ways you must surely have in place to keep your sshd hard against
> >>>> attack.
> >>>>
> >>> Good to know. But the documentation says setting to no prevents from
> >>> using DNS in known_hosts. When I look into my known_hosts I see many
> >>> dns-only names, e.g. github.com among others.
> >>>
> >>> GrzegorzJ
> >> In which man page or web page are you seeing this information?
> >
> > > man sshd_config
> >
> > UseDNS Specifies whether sshd(8) should look up the remote host name,
> > and to check that the resolved host name for the remote IP
> > address maps back to the very same IP address.
> >
> > If this option is set to ???no???, then only addresses and not
> > host
> > names may be used in ~/.ssh/known_hosts from and sshd_config
> > Match Host directives. The default is ???yes???.
>
> Interestingly, this documentation is an outdated version, and wrong. :)
> It was reported upstream:
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2554
>
> and fixed here:
>
> https://github.com/openssh/openssh-portable/commit/0235a5fa67fcac51adb564cba69011a535f86f6b
>
> The documentation is now:
>
> UseDNS Specifies whether sshd(8) should look up the remote host name,
> and to check that the resolved host name for the remote IP
> address maps back to the very same IP address.
>
> If this option is set to no, then only addresses and not host
> names may be used in ~/.ssh/authorized_keys from and sshd_config
> Match Host directives. The default is "yes".
>
> E.g., it affects only authorized_keys files, but I'm not sure if there
> is such a thing as a "from" directive in those (and neither could I find
> any documentation about "from" directives in known_hosts files either).
Yes, there is. From ssh_config(5):
A pattern-list is a comma-separated list of patterns. Patterns within
pattern-lists may be negated by preceding them with an exclamation mark
(`!'). For example, to allow a key to be used from anywhere within an
organization except from the ``dialup'' pool, the following entry (in
authorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
and from sshd(8):
from="pattern-list"
Specifies that in addition to public key authentication, either
the canonical name of the remote host or its IP address must be
present in the comma-separated list of patterns. See PATTERNS in
ssh_config(5) for more information on patterns.
In addition to the wildcard matching that may be applied to
hostnames or addresses, a from stanza may match IP addresses
using CIDR address/masklen notation.
The purpose of this option is to optionally increase security:
public key authentication by itself does not trust the network or
name servers or anything (but the key); however, if somebody
somehow steals the key, the key permits an intruder to log in
from anywhere in the world. This additional option makes using a
stolen key more difficult (name servers and/or routers would have
to be compromised in addition to just the key).
sshd(8) also has the other restrictions that you can put on keys in the
authorized_keys file.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
