Useless log message "POSSIBLE BREAK-IN ATTEMPT"
Coy Hile
Coy.Hile at COYHILE.COM
Sat Dec 28 13:09:24 EST 2013
On 12/26/13, 4:47 PM, "Kaz Kylheku" <kaz at kylheku.com> wrote:
>
>
>On 26.12.2013 09:27, Alex Bligh wrote:
>
>> On 25 Dec 2013, at 08:04, Ben Lindstrom wrote:
>>
>>> UseDNS Specifies whether sshd(8) should look up the remote host name
>>>and check that the resolved host name for the remote IP address maps
>>>back to the very same IP address. The default is ``yes''.
>>
>> I've often wondered why the default for this is 'yes'.
>
>I don't want to read reference manuals. I want software not to do stupid
>things by default. This misfeature and its configuration option
>shouldn't even exist.
>
>There isn't any action that the software can take based on this info.
>(We should never waste resources gathering info that cannot be used to
>take action.)
Imagine that you, as a sysadmin, perhaps control users¹ keys (and
authorized_keys files per user, per host) centrally. In that use case, at
least, you can enforce that certain keys only be allowed from certain
hosts. I¹d find UseDNS yes useful in that use case, as well as the GSSAPI
use cases that others have mentioned in the thread.
>
More information about the openssh-unix-dev
mailing list