From owner-freebsd-security@FreeBSD.ORG Mon May 26 10:15:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5339F37B401 for ; Mon, 26 May 2003 10:15:19 -0700 (PDT) Received: from relay2.mecon.ar (relay2.mecon.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id A757943F3F for ; Mon, 26 May 2003 10:15:15 -0700 (PDT) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.ar [168.101.133.15]) by relay2.mecon.ar (8.12.6p2/8.12.6) with ESMTP id h4QHFDAG090263; Mon, 26 May 2003 14:15:13 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h4QHF7sR095458; Mon, 26 May 2003 14:15:07 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h4QHF7TV095454; Mon, 26 May 2003 14:15:07 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) by bal740r0.mecon.gov.ar (8.12.6/8.12.6) with ESMTP id h4QHF7vE001141; Mon, 26 May 2003 14:15:07 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.6/8.12.6/Submit) id h4QHF6gw001140; Mon, 26 May 2003 14:15:06 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Mon, 26 May 2003 14:15:05 -0300 From: Fernando Schapachnik To: "G.P. de Boer" Message-ID: <20030526171505.GL637@bal740r0.mecon.gov.ar> References: <20030526163255.GJ637@bal740r0.mecon.gov.ar> <1053968550.574.3.camel@edinburgh> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1053968550.574.3.camel@edinburgh> User-Agent: Mutt/1.4.1i X-OS: FreeBSD 4.7 - http://www.freebsd.org cc: freebsd-security@freebsd.org Subject: Re: sshd doing dns queries on localhost? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 17:15:19 -0000 En un mensaje anterior, G.P. de Boer escribió: > On Mon, 2003-05-26 at 18:32, Fernando Schapachnik wrote: > > > > This is becoming a FAQ. Current OpenSSH daemons implement a feature > called 'privilege seperation', which splits the daemon in two: one part > running as root, the other as user 'sshd' (or whatever you define), > minimalizing security threats. One disadvantage though: /etc/resolv.conf > is read AFTER chroot()ing to the directory '/var/empty' (talking about > OpenSSH in base). If resolv.conf can't be found there, sshd will lookup > IP's via 127.0.0.1, generating those log_in_vain messages you see. > > How to solve? Well.. copy /etc/resolv.conf to /var/empty/etc/. Forgot about privsep... Of course that was it. Thanks!