If OpenSSH takes no action, this entry does seem pretty useless for the functionality. I don't think it adds any real life security improvement, but adds too much noise which will be ignored anyways. It may be useful to other log-analyzer software trying make sense, but again the number of false positives render useless any meaningful interpretation of these log entries as well. I can't think if a use case for this logging to be enabled by default, if at all it needs to be there, but I may have missed the obvious (which hasn't been yet discussed in this thread). Thanks. -coderaptor -- sent via 100% recycled electrons from my mobile command center. > On Dec 26, 2013, at 2:19 PM, Dan Kaminsky <dan at doxpara.com> wrote: > > The deal is that IP addresses are useless, host names are useful , but host > name spoofing is actually a real thing that real attackers do. > > So, either you don't log, you log hacker controlled data, or you UseDNS. > OpenSSH, optimizing for security, chooses the last of these options. > >> On Thursday, December 26, 2013, Kaz Kylheku wrote: >> >> >> >>> On 26.12.2013 09:27, Alex Bligh wrote: >>> >>>> On 25 Dec 2013, at 08:04, Ben Lindstrom wrote: >>>> >>>> UseDNS Specifies whether sshd(8) should look up the remote host name >> and check that the resolved host name for the remote IP address maps back >> to the very same IP address. The default is ``yes''. >>> >>> I've often wondered why the default for this is 'yes'. >> >> I don't want to read reference manuals. I want software not to do stupid >> things by default. This misfeature and its configuration option >> shouldn't even exist. >> >> There isn't any action that the software can take based on this info. >> (We should never waste resources gathering info that cannot be used to >> take action.) >> >> You cannot reject hosts from making SSH connections just because they >> have inconsistent DNS. >> >> Such checks are sometimes useful in software that has no real security, >> like SMTP. Rejecting inconsistent DNS hosts is an amazingly reliable >> rule that will get rid of a large fraction of spam, with virtually no >> false positives. >> >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org <javascript:;> >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
