Date: Tue, 9 Oct 2001 13:58:55 -0700 (PDT)
From: David Kirchner <davidk@accretivetg.com>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: <security@FreeBSD.ORG>
Subject: Re: heads up? ssh, krb5-realm.{com,net}
Message-ID: <20011009135644.U85958-100000@localhost>
In-Reply-To: <200110092159.f99LxF654550@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 9 Oct 2001, Garrett Wollman wrote: > <<On Tue, 9 Oct 2001 13:13:47 -0700 (PDT), David Kirchner <davidk@accretivetg.com> said: > > > This problem just started showing up for us today. Apparently, the openssh > > that comes with 4.2-R has some strange bug in that it looks up krb5-realm > > in DNS even though no Kerberos server was ever configured in any file on > > the system. (Dangerous to have this default, no?) > > Your DNS resolver is mis-configured; you're probably using a `domain > foo.com' in /etc/resolv.conf when you should have said `search > foo.com' instead. It is never correct to include a TLD in your search > list. > > -GAWollman We don't have 'domain foo.com' in our resolv.conf. Here's what we have (with some data masked): search hosting.foo.net foo.net nameserver 207.246.xx.yy nameserver 207.246.xx.zz No TLD is in our search list. Kerberos (SSH's implementation, probably) was doing the lookups by chopping off each part of the hostname and then pre-pending krb5-realm . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009135644.U85958-100000>