On 21/07/2018 12:05, Chad Jacob Milios wrote:>> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka <list1 at gjunka.com> wrote: >> On 21/07/2018 11:03, Chad Jacob Milios wrote: >>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <jamie at catflap.org> wrote: >>>> >>>> Dimitry Andric <dim at freebsd.org> wrote: >>>> >>>>> For each incoming IP address, sshd does a reverse lookup, and if that >>>>> results in a hostname, it does another lookup of that hostname, to see >>>>> if *that* result matches the original incoming IP address. If it does >>>>> not, you get this scary warning in syslog about a "possible break-in >>>>> attempt!". >>>>> >>>>> In my opinion, this is fairly misleading, since almost always the actual >>>>> cause is badly configured DNS, a very common occurrence. In addition, >>>>> matching forward and reverse DNS records is no guarantee at all that the >>>>> incoming IP address is in any way trustworthy. >>>> I'm not sure which version this made it into, but they actually removed this >>>> over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2: >>>> >>>> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba >>>> | Author: dtucker at openbsd.org <dtucker at openbsd.org> >>>> | Date: Wed Jun 15 00:40:40 2016 +0000 >>>> | >>>> | upstream commit >>>> | >>>> | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message >>>> | about forward and reverse DNS not matching. We haven't supported IP-based >>>> | auth methods for a very long time so it's now misleading. part of bz#2585, >>>> | ok markus@ >>>> | >>>> | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 >>>> >>>> cheers, Jamie >>> adding: >>> >>> UseDNS no >>> >>> has the added benefit of avoiding a grueling delay when YOU are the one behind an IP address with a misconfigured reverse DNS mapping (which is horribly common on consumer networks). It goes into /etc/ssh/sshd_config and has been among my initial configuration to every FreeBSD box i?ve stood up for a decade. >>> >>> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) has actually switched to adopt this, UseDNS no, as their default configuration for, i think its been a couple years now. This is in addition to dropping the message from their log output if UseDNS yes. >>> >>> There is no point to this foolishly alarming message. Be mindful of the OTHER ways you must surely have in place to keep your sshd hard against attack. >>> >> Good to know. But the documentation says setting to no prevents from using DNS in known_hosts. When I look into my known_hosts I see many dns-only names, e.g. github.com among others. >> >> GrzegorzJ > In which man page or web page are you seeing this information?> man sshd_config ???? UseDNS? Specifies whether sshd(8) should look up the remote host name, ???????????? and to check that the resolved host name for the remote IP ???????????? address maps back to the very same IP address. ???????????? If this option is set to ?no?, then only addresses and not host ???????????? names may be used in ~/.ssh/known_hosts from and sshd_config ???????????? Match Host directives.? The default is ?yes?.
Grzegorz Junka wrote on 2018/07/21 21:29: [...]>>>> There is no point to this foolishly alarming message. Be mindful of >>>> the OTHER ways you must surely have in place to keep your sshd hard >>>> against attack. >>>> >>> Good to know. But the documentation says setting to no prevents from >>> using DNS in known_hosts. When I look into my known_hosts I see many >>> dns-only names, e.g. github.com among others. >>> >>> GrzegorzJ >> In which man page or web page are you seeing this information? > > > man sshd_config > > ???? UseDNS? Specifies whether sshd(8) should look up the remote host > name, > ???????????? and to check that the resolved host name for the remote IP > ???????????? address maps back to the very same IP address. > > ???????????? If this option is set to ?no?, then only addresses and not > host > ???????????? names may be used in ~/.ssh/known_hosts from and sshd_config > ???????????? Match Host directives.? The default is ?yes?.What version of FreeBSD do you have? On FreeBSD 10.4 there is UseDNS Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to ?no?, then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives. The default is ?yes?. And I don't think sshd_config should have any impact on client configuration (known_hosts). It is controlled by ssh_config. Miroslav Lachman
On 21 Jul 2018, at 21:29, Grzegorz Junka <list1 at gjunka.com> wrote:> > On 21/07/2018 12:05, Chad Jacob Milios wrote: >>> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka <list1 at gjunka.com> wrote: >>> On 21/07/2018 11:03, Chad Jacob Milios wrote: >>>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <jamie at catflap.org> wrote:...>>>> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) has actually switched to adopt this, UseDNS no, as their default configuration for, i think its been a couple years now. This is in addition to dropping the message from their log output if UseDNS yes. >>>> >>>> There is no point to this foolishly alarming message. Be mindful of the OTHER ways you must surely have in place to keep your sshd hard against attack. >>>> >>> Good to know. But the documentation says setting to no prevents from using DNS in known_hosts. When I look into my known_hosts I see many dns-only names, e.g. github.com among others. >>> >>> GrzegorzJ >> In which man page or web page are you seeing this information? > > > man sshd_config > > UseDNS Specifies whether sshd(8) should look up the remote host name, > and to check that the resolved host name for the remote IP > address maps back to the very same IP address. > > If this option is set to ?no?, then only addresses and not host > names may be used in ~/.ssh/known_hosts from and sshd_config > Match Host directives. The default is ?yes?.Interestingly, this documentation is an outdated version, and wrong. :) It was reported upstream: https://bugzilla.mindrot.org/show_bug.cgi?id=2554 and fixed here: https://github.com/openssh/openssh-portable/commit/0235a5fa67fcac51adb564cba69011a535f86f6b The documentation is now: UseDNS Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to no, then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives. The default is "yes". E.g., it affects only authorized_keys files, but I'm not sure if there is such a thing as a "from" directive in those (and neither could I find any documentation about "from" directives in known_hosts files either). -Dimitry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 223 bytes Desc: Message signed with OpenPGP URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20180721/ac703757/attachment.sig>