Date: Tue, 9 Oct 2001 13:13:47 -0700 (PDT) From: David Kirchner <davidk@accretivetg.com> To: <security@freebsd.org> Subject: heads up? ssh, krb5-realm.{com,net} Message-ID: <20011009130922.C85958-100000@localhost>
next in thread | raw e-mail | index | archive | help
This problem just started showing up for us today. Apparently, the openssh that comes with 4.2-R has some strange bug in that it looks up krb5-realm in DNS even though no Kerberos server was ever configured in any file on the system. (Dangerous to have this default, no?) The provider that hosts krb5-realm.com and .net apparently decided to either shut off their name servers or delay name server responses for these domains - not too surprising since this probably created a fair amount of traffic. I suspect we'll be seeing a number of e-mails from people having trouble ssh'ing in to their machines and having it take >2 minutes. The quick-fix for us was to add krb5-realm.com and .net to our DNS tables so the lookup would be quick. The problem appears to be fixed in 4.4, but I haven't checked out how yet (hopefully, all Kerberos checking is completely disabled unless someone specifically enables it?) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009130922.C85958-100000>