From owner-freebsd-security@freebsd.org Sat Jul 21 19:59:41 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B30BC102AE0F for ; Sat, 21 Jul 2018 19:59:41 +0000 (UTC) (envelope-from SRS0=IaDc=KF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3FEBA75B5A for ; Sat, 21 Jul 2018 19:59:40 +0000 (UTC) (envelope-from SRS0=IaDc=KF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 26DCE28462; Sat, 21 Jul 2018 21:59:33 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 8974228459; Sat, 21 Jul 2018 21:59:26 +0200 (CEST) Subject: Re: Possible break-in attempt? To: Grzegorz Junka , Chad Jacob Milios Cc: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <3dcdf0e7-a17f-7b98-cdea-06cce1875d74@quip.cz> Date: Sat, 21 Jul 2018 21:59:26 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 19:59:41 -0000 Grzegorz Junka wrote on 2018/07/21 21:29: [...] >>>> There is no point to this foolishly alarming message. Be mindful of >>>> the OTHER ways you must surely have in place to keep your sshd hard >>>> against attack. >>>> >>> Good to know. But the documentation says setting to no prevents from >>> using DNS in known_hosts. When I look into my known_hosts I see many >>> dns-only names, e.g. github.com among others. >>> >>> GrzegorzJ >> In which man page or web page are you seeing this information? > > > man sshd_config > >      UseDNS  Specifies whether sshd(8) should look up the remote host > name, >              and to check that the resolved host name for the remote IP >              address maps back to the very same IP address. > >              If this option is set to “no”, then only addresses and not > host >              names may be used in ~/.ssh/known_hosts from and sshd_config >              Match Host directives.  The default is “yes”. What version of FreeBSD do you have? On FreeBSD 10.4 there is UseDNS Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to “no”, then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives. The default is “yes”. And I don't think sshd_config should have any impact on client configuration (known_hosts). It is controlled by ssh_config. Miroslav Lachman