PUzzling sshd behaviour
ari
edelkind-freebsd-hackers at episec.com
Mon Sep 8 14:19:36 PDT 2003
andreas at freebsd.org said this stuff:
> On Sun, Sep 07, 2003 at 02:55:10AM +0100, Bruce M Simpson wrote:
[...]
> > > >But what about:
> > > > VerifyReverseMapping
> > > > Specifies whether sshd should try to verify the remote host
> > > > name
> > > > and check that the resolved host name for the remote IP
> > > > address
> > > > maps back to the very same IP address. The default is ``no''.
[...]
> > This sounds like a bug. Does anyone else agree?
>
> Yes and I really needed this functionality in a project for 12 Suns...
>
> But it didn't work as expected from the description.
It's a common misconception that this option means the server should not
attempt a reverse lookup. It doesn't. If the VerifyReverseMapping
option is enabled, then after the server does a reverse lookup, it will
then ensure that the hostname maps back to the same ip address that is
associated with the socket, useful mainly for banning networks with
lackluster admins or attackers who try to feign domain ownership using
only reverse dns. The initial part of the description is a bit
misleading, but the fact that setting this option to 'no' does not
disable reverse lookups is not a bug.
ari
More information about the freebsd-hackers
mailing list