Useless log message "POSSIBLE BREAK-IN ATTEMPT"

Damien Miller djm at mindrot.org
Sat Dec 28 20:04:06 EST 2013


On Fri, 27 Dec 2013, Dan Mahoney, System Admin wrote:

> I think the point here is that there's no option for openSSH to then
> *drop the connection* or refuse it. OpenSSH *checks*, but does not
> *enforce* anything.

That's not entriely true. from=... restrictions in authorized_keys and
"Match host" sections in sshd_config depend on the hostname. In the
reverse-mapping check failed case, they don't get to see the original
(probably untrustworthy) hostname and are just passed the IP address.

Basically, the things that depend on the hostname will not be shown one
that appears spoofed.

-d


More information about the openssh-unix-dev mailing list