On 21/07/2018 19:59, Miroslav Lachman wrote:> Grzegorz Junka wrote on 2018/07/21 21:29:
>
> [...]
>
>>>>> There is no point to this foolishly alarming message. Be
mindful
>>>>> of the OTHER ways you must surely have in place to keep
your sshd
>>>>> hard against attack.
>>>>>
>>>> Good to know. But the documentation says setting to no prevents
>>>> from using DNS in known_hosts. When I look into my known_hosts
I
>>>> see many dns-only names, e.g. github.com among others.
>>>>
>>>> GrzegorzJ
>>> In which man page or web page are you seeing this information?
>>
>> ?> man sshd_config
>>
>> ????? UseDNS? Specifies whether sshd(8) should look up the remote
>> host name,
>> ????????????? and to check that the resolved host name for the remote
IP
>> ????????????? address maps back to the very same IP address.
>>
>> ????????????? If this option is set to ?no?, then only addresses and
>> not host
>> ????????????? names may be used in ~/.ssh/known_hosts from and
>> sshd_config
>> ????????????? Match Host directives.? The default is ?yes?.
>
> What version of FreeBSD do you have?
> On FreeBSD 10.4 there is
>
> UseDNS? Specifies whether sshd(8) should look up the remote host name,
> ????and to check that the resolved host name for the remote IP
> ????address maps back to the very same IP address.
>
> ????If this option is set to ?no?, then only addresses and not host
> ????names may be used in ~/.ssh/authorized_keys from and sshd_config
> ????Match Host directives.? The default is ?yes?.
>
> And I don't think sshd_config should have any impact on client
> configuration (known_hosts). It is controlled by ssh_config.
It's from 11.1-RELEASE-p1. I would hope that 11.1p1 is more correct than
10.4?