Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 07 Nov 2022 18:02:33 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 241917] blacklistd not accounting for failed sshd login attempts which failed reverse mapping checking
Message-ID:  <bug-241917-227-cdtqjxn0oa@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-241917-227@https.bugs.freebsd.org/bugzilla/>

index | next in thread | previous in thread | raw e-mail

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241917

--- Comment #2 from Jose Luis Duran <jlduran@gmail.com> ---
FreeBSD's default sshd configuration has:

    UseDNS yes

It instructs sshd to look up the remote host name and check that the resolved
host name for the remote IP address maps back to the very same IP address.

In the meantime, a potential workaround, could be to set:

    UseDNS no

which is the default setting upstream. However, only addresses and not host
names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host
directives.

I will, eventually, test the possibility of adding a few

    BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");

to auth.c (especially under remote_hostname()).

-- 
You are receiving this mail because:
You are the assignee for the bug.

home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-241917-227-cdtqjxn0oa>