From owner-freebsd-security@freebsd.org Sat Jul 21 20:46:18 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1E62102C409 for ; Sat, 21 Jul 2018 20:46:18 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D02877470 for ; Sat, 21 Jul 2018 20:46:18 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (p5DD75328.dip0.t-ipconnect.de [93.215.83.40]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id w6LKkA0F010674 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Sat, 21 Jul 2018 20:46:10 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host p5DD75328.dip0.t-ipconnect.de [93.215.83.40] claimed to be ultrabook.yoonka.com Subject: Re: Possible break-in attempt? To: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> <3dcdf0e7-a17f-7b98-cdea-06cce1875d74@quip.cz> From: Grzegorz Junka Message-ID: <79df6b59-c36a-b417-8fe8-2717d0b333a2@gjunka.com> Date: Sat, 21 Jul 2018 20:46:05 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <3dcdf0e7-a17f-7b98-cdea-06cce1875d74@quip.cz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB-large X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 20:46:19 -0000 On 21/07/2018 19:59, Miroslav Lachman wrote: > Grzegorz Junka wrote on 2018/07/21 21:29: > > [...] > >>>>> There is no point to this foolishly alarming message. Be mindful >>>>> of the OTHER ways you must surely have in place to keep your sshd >>>>> hard against attack. >>>>> >>>> Good to know. But the documentation says setting to no prevents >>>> from using DNS in known_hosts. When I look into my known_hosts I >>>> see many dns-only names, e.g. github.com among others. >>>> >>>> GrzegorzJ >>> In which man page or web page are you seeing this information? >> >>  > man sshd_config >> >>       UseDNS  Specifies whether sshd(8) should look up the remote >> host name, >>               and to check that the resolved host name for the remote IP >>               address maps back to the very same IP address. >> >>               If this option is set to “no”, then only addresses and >> not host >>               names may be used in ~/.ssh/known_hosts from and >> sshd_config >>               Match Host directives.  The default is “yes”. > > What version of FreeBSD do you have? > On FreeBSD 10.4 there is > > UseDNS  Specifies whether sshd(8) should look up the remote host name, >     and to check that the resolved host name for the remote IP >     address maps back to the very same IP address. > >     If this option is set to “no”, then only addresses and not host >     names may be used in ~/.ssh/authorized_keys from and sshd_config >     Match Host directives.  The default is “yes”. > > And I don't think sshd_config should have any impact on client > configuration (known_hosts). It is controlled by ssh_config. It's from 11.1-RELEASE-p1. I would hope that 11.1p1 is more correct than 10.4?