Date: Sat, 21 Jul 2018 15:45:10 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Dimitry Andric <dim@FreeBSD.org> Cc: Grzegorz Junka <list1@gjunka.com>, freebsd-security@freebsd.org, Chad Jacob Milios <freebsd-list@nuos.org>, Damien Miller <djm@mindrot.org> Subject: Re: Possible break-in attempt? Message-ID: <20180721224510.GQ2884@funkthat.com> In-Reply-To: <1EBE0612-CDB0-452D-ABB0-BFF133B1CBE0@FreeBSD.org> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <d5f56af2-bd11-60d2-ba8d-06ed50872ef9@gjunka.com> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> <1EBE0612-CDB0-452D-ABB0-BFF133B1CBE0@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dimitry Andric wrote this message on Sat, Jul 21, 2018 at 22:30 +0200: > On 21 Jul 2018, at 21:29, Grzegorz Junka <list1@gjunka.com> wrote: > > > > On 21/07/2018 12:05, Chad Jacob Milios wrote: > >>> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka <list1@gjunka.com> wrote: > >>> On 21/07/2018 11:03, Chad Jacob Milios wrote: > >>>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <jamie@catflap.org> wrote: > ... > >>>> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) has actually switched to adopt this, UseDNS no, as their default configuration for, i think its been a couple years now. This is in addition to dropping the message from their log output if UseDNS yes. > >>>> > >>>> There is no point to this foolishly alarming message. Be mindful of the OTHER ways you must surely have in place to keep your sshd hard against attack. > >>>> > >>> Good to know. But the documentation says setting to no prevents from using DNS in known_hosts. When I look into my known_hosts I see many dns-only names, e.g. github.com among others. > >>> > >>> GrzegorzJ > >> In which man page or web page are you seeing this information? > > > > > man sshd_config > > > > UseDNS Specifies whether sshd(8) should look up the remote host name, > > and to check that the resolved host name for the remote IP > > address maps back to the very same IP address. > > > > If this option is set to ???no???, then only addresses and not host > > names may be used in ~/.ssh/known_hosts from and sshd_config > > Match Host directives. The default is ???yes???. > > Interestingly, this documentation is an outdated version, and wrong. :) > It was reported upstream: > > https://bugzilla.mindrot.org/show_bug.cgi?id=2554 > > and fixed here: > > https://github.com/openssh/openssh-portable/commit/0235a5fa67fcac51adb564cba69011a535f86f6b > > The documentation is now: > > UseDNS Specifies whether sshd(8) should look up the remote host name, > and to check that the resolved host name for the remote IP > address maps back to the very same IP address. > > If this option is set to no, then only addresses and not host > names may be used in ~/.ssh/authorized_keys from and sshd_config > Match Host directives. The default is "yes". > > E.g., it affects only authorized_keys files, but I'm not sure if there > is such a thing as a "from" directive in those (and neither could I find > any documentation about "from" directives in known_hosts files either). Yes, there is. From ssh_config(5): A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark (`!'). For example, to allow a key to be used from anywhere within an organization except from the ``dialup'' pool, the following entry (in authorized_keys) could be used: from="!*.dialup.example.com,*.example.com" and from sshd(8): from="pattern-list" Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. See PATTERNS in ssh_config(5) for more information on patterns. In addition to the wildcard matching that may be applied to hostnames or addresses, a from stanza may match IP addresses using CIDR address/masklen notation. The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key). sshd(8) also has the other restrictions that you can put on keys in the authorized_keys file. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180721224510.GQ2884>