Useless log message "POSSIBLE BREAK-IN ATTEMPT"

Coy Hile Coy.Hile at COYHILE.COM
Sat Dec 28 13:09:24 EST 2013



On 12/26/13, 4:47 PM, "Kaz Kylheku" <kaz at kylheku.com> wrote:

> 
>
>On 26.12.2013 09:27, Alex Bligh wrote:
>
>> On 25 Dec 2013, at 08:04, Ben Lindstrom wrote:
>> 
>>> UseDNS Specifies whether sshd(8) should look up the remote host name
>>>and check that the resolved host name for the remote IP address maps
>>>back to the very same IP address. The default is ``yes''.
>> 
>> I've often wondered why the default for this is 'yes'.
>
>I don't want to read reference manuals. I want software not to do stupid
>things by default. This misfeature and its configuration option
>shouldn't even exist.
>
>There isn't any action that the software can take based on this info.
>(We should never waste resources gathering info that cannot be used to
>take action.) 

Imagine that you, as a sysadmin, perhaps control users¹ keys (and
authorized_keys files per user, per host) centrally. In that use case, at
least, you can enforce that certain keys only be allowed from certain
hosts.  I¹d find UseDNS yes useful in that use case, as well as the GSSAPI
use cases that others have mentioned in the thread.


>



More information about the openssh-unix-dev mailing list