From owner-freebsd-security@FreeBSD.ORG Mon May 26 10:02:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2D4637B401 for ; Mon, 26 May 2003 10:02:41 -0700 (PDT) Received: from thedarkside.nl (cc31301-c.assen1.dr.home.nl [212.120.68.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4D4E43FA3 for ; Mon, 26 May 2003 10:02:39 -0700 (PDT) (envelope-from g.p.de.boer@st.hanze.nl) Received: from edinburgh (edinburgh [10.0.0.3]) by thedarkside.nl (8.12.8p1/8.12.8) with ESMTP id h4QH2aXY002721; Mon, 26 May 2003 19:02:36 +0200 (CEST) (envelope-from g.p.de.boer@st.hanze.nl) From: "G.P. de Boer" To: Fernando Schapachnik In-Reply-To: <20030526163255.GJ637@bal740r0.mecon.gov.ar> References: <20030526163255.GJ637@bal740r0.mecon.gov.ar> Content-Type: text/plain Organization: Message-Id: <1053968550.574.3.camel@edinburgh> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.1 Date: 26 May 2003 19:02:30 +0200 Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: sshd doing dns queries on localhost? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 17:02:42 -0000 On Mon, 2003-05-26 at 18:32, Fernando Schapachnik wrote: This is becoming a FAQ. Current OpenSSH daemons implement a feature called 'privilege seperation', which splits the daemon in two: one part running as root, the other as user 'sshd' (or whatever you define), minimalizing security threats. One disadvantage though: /etc/resolv.conf is read AFTER chroot()ing to the directory '/var/empty' (talking about OpenSSH in base). If resolv.conf can't be found there, sshd will lookup IP's via 127.0.0.1, generating those log_in_vain messages you see. How to solve? Well.. copy /etc/resolv.conf to /var/empty/etc/. Regards, Pieter