[Bug 241917] blacklistd not accounting for failed sshd login attempts which failed reverse mapping checking

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 07 Nov 2022 18:02:33 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241917

--- Comment #2 from Jose Luis Duran <jlduran@gmail.com> ---
FreeBSD's default sshd configuration has:

    UseDNS yes

It instructs sshd to look up the remote host name and check that the resolved
host name for the remote IP address maps back to the very same IP address.

In the meantime, a potential workaround, could be to set:

    UseDNS no

which is the default setting upstream. However, only addresses and not host
names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host
directives.

I will, eventually, test the possibility of adding a few

    BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");

to auth.c (especially under remote_hostname()).

-- 
You are receiving this mail because:
You are the assignee for the bug.