Date: Sat, 21 Jul 2018 20:46:05 +0000 From: Grzegorz Junka <list1@gjunka.com> To: freebsd-security@freebsd.org Subject: Re: Possible break-in attempt? Message-ID: <79df6b59-c36a-b417-8fe8-2717d0b333a2@gjunka.com> In-Reply-To: <3dcdf0e7-a17f-7b98-cdea-06cce1875d74@quip.cz> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <d5f56af2-bd11-60d2-ba8d-06ed50872ef9@gjunka.com> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> <3dcdf0e7-a17f-7b98-cdea-06cce1875d74@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21/07/2018 19:59, Miroslav Lachman wrote: > Grzegorz Junka wrote on 2018/07/21 21:29: > > [...] > >>>>> There is no point to this foolishly alarming message. Be mindful >>>>> of the OTHER ways you must surely have in place to keep your sshd >>>>> hard against attack. >>>>> >>>> Good to know. But the documentation says setting to no prevents >>>> from using DNS in known_hosts. When I look into my known_hosts I >>>> see many dns-only names, e.g. github.com among others. >>>> >>>> GrzegorzJ >>> In which man page or web page are you seeing this information? >> >> > man sshd_config >> >> UseDNS Specifies whether sshd(8) should look up the remote >> host name, >> and to check that the resolved host name for the remote IP >> address maps back to the very same IP address. >> >> If this option is set to “no”, then only addresses and >> not host >> names may be used in ~/.ssh/known_hosts from and >> sshd_config >> Match Host directives. The default is “yes”. > > What version of FreeBSD do you have? > On FreeBSD 10.4 there is > > UseDNS Specifies whether sshd(8) should look up the remote host name, > and to check that the resolved host name for the remote IP > address maps back to the very same IP address. > > If this option is set to “no”, then only addresses and not host > names may be used in ~/.ssh/authorized_keys from and sshd_config > Match Host directives. The default is “yes”. > > And I don't think sshd_config should have any impact on client > configuration (known_hosts). It is controlled by ssh_config. It's from 11.1-RELEASE-p1. I would hope that 11.1p1 is more correct than 10.4?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?79df6b59-c36a-b417-8fe8-2717d0b333a2>