From owner-freebsd-security@freebsd.org Sat Jul 21 20:30:44 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67A67102BA24 for ; Sat, 21 Jul 2018 20:30:44 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "tensor.andric.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C8CD876AA5 for ; Sat, 21 Jul 2018 20:30:43 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from coleburn.home.andric.com (coleburn.home.andric.com [192.168.0.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 5638E3E8C5; Sat, 21 Jul 2018 22:30:36 +0200 (CEST) From: Dimitry Andric Message-Id: <1EBE0612-CDB0-452D-ABB0-BFF133B1CBE0@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_9BB5C12B-EDAA-42E1-BA92-1CC0ED28FFD8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Possible break-in attempt? Date: Sat, 21 Jul 2018 22:30:28 +0200 In-Reply-To: <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> Cc: Chad Jacob Milios , freebsd-security@freebsd.org, Damien Miller To: Grzegorz Junka References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> X-Mailer: Apple Mail (2.3445.9.1) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 20:30:44 -0000 --Apple-Mail=_9BB5C12B-EDAA-42E1-BA92-1CC0ED28FFD8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 21 Jul 2018, at 21:29, Grzegorz Junka wrote: >=20 > On 21/07/2018 12:05, Chad Jacob Milios wrote: >>> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka = wrote: >>> On 21/07/2018 11:03, Chad Jacob Milios wrote: >>>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones = wrote: ... >>>> openssh-portable (in ports, produced by the paranoid fellows at = OpenBSD) has actually switched to adopt this, UseDNS no, as their = default configuration for, i think its been a couple years now. This is = in addition to dropping the message from their log output if UseDNS yes. >>>>=20 >>>> There is no point to this foolishly alarming message. Be mindful of = the OTHER ways you must surely have in place to keep your sshd hard = against attack. >>>>=20 >>> Good to know. But the documentation says setting to no prevents from = using DNS in known_hosts. When I look into my known_hosts I see many = dns-only names, e.g. github.com among others. >>>=20 >>> GrzegorzJ >> In which man page or web page are you seeing this information? >=20 > > man sshd_config >=20 > UseDNS Specifies whether sshd(8) should look up the remote host = name, > and to check that the resolved host name for the remote = IP > address maps back to the very same IP address. >=20 > If this option is set to =E2=80=9Cno=E2=80=9D, then only = addresses and not host > names may be used in ~/.ssh/known_hosts from and = sshd_config > Match Host directives. The default is =E2=80=9Cyes=E2=80=9D= . Interestingly, this documentation is an outdated version, and wrong. :) It was reported upstream: https://bugzilla.mindrot.org/show_bug.cgi?id=3D2554 and fixed here: = https://github.com/openssh/openssh-portable/commit/0235a5fa67fcac51adb564c= ba69011a535f86f6b The documentation is now: UseDNS Specifies whether sshd(8) should look up the remote host = name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to no, then only addresses and not = host names may be used in ~/.ssh/authorized_keys from and = sshd_config Match Host directives. The default is "yes". E.g., it affects only authorized_keys files, but I'm not sure if there is such a thing as a "from" directive in those (and neither could I find any documentation about "from" directives in known_hosts files either). -Dimitry --Apple-Mail=_9BB5C12B-EDAA-42E1-BA92-1CC0ED28FFD8 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCW1OX5AAKCRCwXqMKLiCW o3S0AKDEIfVmqFWMLOZv20e+X5c0zFH44gCg480TyUT4EWBcFbRayzSvJfzOKM0= =m7bj -----END PGP SIGNATURE----- --Apple-Mail=_9BB5C12B-EDAA-42E1-BA92-1CC0ED28FFD8--