Date: Thu, 25 Jul 2002 17:02:46 -0700 From: Darren Pilgrim <dmp@pantherdragon.org> To: "Travis L. Leuthauser" <travis@bbipmail.com> Cc: freebsd-security@freebsd.org Subject: Re: Openssh-portable Message-ID: <3D4091A6.285C3072@pantherdragon.org> References: <NEBBIGMCEDGDNFGOAAFLKEFLKGAA.travis@bbipmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Travis L. Leuthauser" wrote: > > As I understand, this is a known problem with openssh-portable when using > privsep. Apparently after initiating privsep, sshd attempts to read > /etc/resolv.conf, which it can't since chrooted to /var/empty. A workaround > is to copy resolv.conf into /var/empty/etc. The only problem w/ this is > that /var/empty is intented to be empty. Or you can just put "VerifyReverseMapping no" in your sshd_config. Relying on DNS consistency for any sort of client verification has never seemed all that great of an idea to me. There are far too many third parties, far too many poorly-managed zonefiles, and it is far too easy to spoof, poison, and trash the DNS for it to be useful for this purpose. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D4091A6.285C3072>