Date: Sat, 21 Jul 2018 21:59:26 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: Grzegorz Junka <list1@gjunka.com>, Chad Jacob Milios <freebsd-list@nuos.org> Cc: freebsd-security@freebsd.org Subject: Re: Possible break-in attempt? Message-ID: <3dcdf0e7-a17f-7b98-cdea-06cce1875d74@quip.cz> In-Reply-To: <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <d5f56af2-bd11-60d2-ba8d-06ed50872ef9@gjunka.com> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Grzegorz Junka wrote on 2018/07/21 21:29: [...] >>>> There is no point to this foolishly alarming message. Be mindful of >>>> the OTHER ways you must surely have in place to keep your sshd hard >>>> against attack. >>>> >>> Good to know. But the documentation says setting to no prevents from >>> using DNS in known_hosts. When I look into my known_hosts I see many >>> dns-only names, e.g. github.com among others. >>> >>> GrzegorzJ >> In which man page or web page are you seeing this information? > > > man sshd_config > > UseDNS Specifies whether sshd(8) should look up the remote host > name, > and to check that the resolved host name for the remote IP > address maps back to the very same IP address. > > If this option is set to “no”, then only addresses and not > host > names may be used in ~/.ssh/known_hosts from and sshd_config > Match Host directives. The default is “yes”. What version of FreeBSD do you have? On FreeBSD 10.4 there is UseDNS Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to “no”, then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives. The default is “yes”. And I don't think sshd_config should have any impact on client configuration (known_hosts). It is controlled by ssh_config. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3dcdf0e7-a17f-7b98-cdea-06cce1875d74>