Date: Mon, 26 May 2003 14:15:05 -0300 From: Fernando Schapachnik <fernando@mecon.gov.ar> To: "G.P. de Boer" <g.p.de.boer@st.hanze.nl> Cc: freebsd-security@freebsd.org Subject: Re: sshd doing dns queries on localhost? Message-ID: <20030526171505.GL637@bal740r0.mecon.gov.ar> In-Reply-To: <1053968550.574.3.camel@edinburgh> References: <20030526163255.GJ637@bal740r0.mecon.gov.ar> <1053968550.574.3.camel@edinburgh>
next in thread | previous in thread | raw e-mail | index | archive | help
En un mensaje anterior, G.P. de Boer escribió: > On Mon, 2003-05-26 at 18:32, Fernando Schapachnik wrote: > > <something about DNS lookups when SSH'ing> > > This is becoming a FAQ. Current OpenSSH daemons implement a feature > called 'privilege seperation', which splits the daemon in two: one part > running as root, the other as user 'sshd' (or whatever you define), > minimalizing security threats. One disadvantage though: /etc/resolv.conf > is read AFTER chroot()ing to the directory '/var/empty' (talking about > OpenSSH in base). If resolv.conf can't be found there, sshd will lookup > IP's via 127.0.0.1, generating those log_in_vain messages you see. > > How to solve? Well.. copy /etc/resolv.conf to /var/empty/etc/. Forgot about privsep... Of course that was it. Thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030526171505.GL637>