From owner-freebsd-security  Thu Jul 25 17:23:12 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0497A37B400
	for <freebsd-security@freebsd.org>; Thu, 25 Jul 2002 17:23:10 -0700 (PDT)
Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9F1AD43E5E
	for <freebsd-security@freebsd.org>; Thu, 25 Jul 2002 17:23:09 -0700 (PDT)
	(envelope-from dmp@pantherdragon.org)
Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-236-062.evrtwa1.dsl-verizon.net [4.61.236.62])
	by spork.pantherdragon.org (Postfix) with ESMTP
	id 3F0F5471D8; Thu, 25 Jul 2002 17:02:49 -0700 (PDT)
Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2])
	by sparx.pantherdragon.org (Postfix) with ESMTP
	id 88D80FDA0; Thu, 25 Jul 2002 17:02:46 -0700 (PDT)
Message-ID: <3D4091A6.285C3072@pantherdragon.org>
Date: Thu, 25 Jul 2002 17:02:46 -0700
From: Darren Pilgrim <dmp@pantherdragon.org>
X-Mailer: Mozilla 4.76 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Travis L. Leuthauser" <travis@bbipmail.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Openssh-portable
References: <NEBBIGMCEDGDNFGOAAFLKEFLKGAA.travis@bbipmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

"Travis L. Leuthauser" wrote:
> 
> As I understand, this is a known problem with openssh-portable when using
> privsep.  Apparently after initiating privsep, sshd attempts to read
> /etc/resolv.conf, which it can't since chrooted to /var/empty.  A workaround
> is to copy resolv.conf into /var/empty/etc.  The only problem w/ this is
> that /var/empty is intented to be empty.

Or you can just put "VerifyReverseMapping no" in your sshd_config.

Relying on DNS consistency for any sort of client verification has
never seemed all that great of an idea to me.  There are far too many
third parties, far too many poorly-managed zonefiles, and it is far
too easy to spoof, poison, and trash the DNS for it to be useful for
this purpose.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message