On Sat, 28 Dec 2013, Kaz Kylheku wrote: > > On 27.12.2013 14:52, Dan Mahoney, System Admin wrote: > > On Thu, 26 Dec 2013, Dan Kaminsky wrote: > The deal is that IP addresses are useless, host > names are useful , but host name spoofing is > actually a real thing that real attackers do. So, > either you don't log, you log hacker controlled > data, or you UseDNS. OpenSSH, optimizing for > security, chooses the last of these options. > > I think the point here is that there's no option for openSSH to then *drop > the connection* or refuse it. OpenSSH *checks*, but does not > *enforce* anything. Sendmail will refuse to relay if my forward and > reverse DNS don't match. If I have an Allow From *.example.edu in > my apache config, apache requires them both to match or it won't > let me in. OpenSSH will clutter my logs and do nothing else > > Refusing such connections makes perfect sense in unauthenticated SMTP. Doing > so will get rid of a large fraction of spam, with virtually no false > positives. > > It makes no sense in SSH. You'd never want to refuse a connection which has > the correct password or key just because it came from an IP address that > doesn't have reversible DNS. .. > There is no reason for ssh to "use DNS" except in the client to resolve > server addresses. Sure you would, and I cited an example where you might. However, here's my other question -- if you have such a restriction turned on (host-restricted config in sshd_config or authorized-keys), but UseDNS turned *off* will DNS still be used? Or will turning UseDNS off basically break these features? -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
