From owner-freebsd-security Tue Oct 9 15: 2:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id C9DF037B40E for ; Tue, 9 Oct 2001 15:02:35 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f99Kwts79029; Tue, 9 Oct 2001 13:58:55 -0700 (PDT) Date: Tue, 9 Oct 2001 13:58:55 -0700 (PDT) From: David Kirchner X-X-Sender: To: Garrett Wollman Cc: Subject: Re: heads up? ssh, krb5-realm.{com,net} In-Reply-To: <200110092159.f99LxF654550@khavrinen.lcs.mit.edu> Message-ID: <20011009135644.U85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 9 Oct 2001, Garrett Wollman wrote: > < said: > > > This problem just started showing up for us today. Apparently, the openssh > > that comes with 4.2-R has some strange bug in that it looks up krb5-realm > > in DNS even though no Kerberos server was ever configured in any file on > > the system. (Dangerous to have this default, no?) > > Your DNS resolver is mis-configured; you're probably using a `domain > foo.com' in /etc/resolv.conf when you should have said `search > foo.com' instead. It is never correct to include a TLD in your search > list. > > -GAWollman We don't have 'domain foo.com' in our resolv.conf. Here's what we have (with some data masked): search hosting.foo.net foo.net nameserver 207.246.xx.yy nameserver 207.246.xx.zz No TLD is in our search list. Kerberos (SSH's implementation, probably) was doing the lookups by chopping off each part of the hostname and then pre-pending krb5-realm . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message