On 12/26/13, 4:47 PM, "Kaz Kylheku" <kaz at kylheku.com> wrote: > > >On 26.12.2013 09:27, Alex Bligh wrote: > >> On 25 Dec 2013, at 08:04, Ben Lindstrom wrote: >> >>> UseDNS Specifies whether sshd(8) should look up the remote host name >>>and check that the resolved host name for the remote IP address maps >>>back to the very same IP address. The default is ``yes''. >> >> I've often wondered why the default for this is 'yes'. > >I don't want to read reference manuals. I want software not to do stupid >things by default. This misfeature and its configuration option >shouldn't even exist. > >There isn't any action that the software can take based on this info. >(We should never waste resources gathering info that cannot be used to >take action.) Imagine that you, as a sysadmin, perhaps control users? keys (and authorized_keys files per user, per host) centrally. In that use case, at least, you can enforce that certain keys only be allowed from certain hosts. I?d find UseDNS yes useful in that use case, as well as the GSSAPI use cases that others have mentioned in the thread. >
