From owner-freebsd-questions Wed Jan 15 9:26:41 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6208337B401 for ; Wed, 15 Jan 2003 09:26:39 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9476943F7E for ; Wed, 15 Jan 2003 09:26:37 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id h0FHQX1n030407 for ; Wed, 15 Jan 2003 17:26:33 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id h0FHQSe4030406 for questions@FreeBSD.ORG; Wed, 15 Jan 2003 17:26:28 GMT Date: Wed, 15 Jan 2003 17:26:28 +0000 From: Matthew Seaman To: questions@FreeBSD.ORG Subject: Re: SSH Reverse DNS Lookup Message-ID: <20030115172628.GC29533@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , questions@FreeBSD.ORG References: <20030115155720.P27295-100000@freebsd.rf0.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030115155720.P27295-100000@freebsd.rf0.com> User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-2.7 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_03_05, USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jan 15, 2003 at 03:59:20PM +0000, Rus Foster wrote: > Hi All, > Basically a two fold question. > > 1) How do I force sshd to do a reverse DNS lookup and deny the connection > if it fails? See sshd_config(5) --- the VerifyReverseMapping option looks like what you need. Alternately check the hosts_options(5) man page, and look at the usage of 'PARANOID' in the default /etc/hosts.allow file. ssh(1) incorporates the tcpd functionality by default on FreeBSD. > 2) I run a public shell account server. Do you think I'm asking for > trouble by turning the option on? In the sense of having loads of your users whining at you? Probably. A number of ISPs are fairly clueless about making sure their dialups or ADSL customers have proper inverse entries in the DNS. I'm not sure that it's really going to add all that much to your security, unless you use HostbasedAuthentication. Of course, if you do that, then you're pretty much S.O.L. security-wise, whatever you do. Until and unless the worldwide DNS implements some sort of cryptographically strong authentication mechanism, it will remain way too easy to spoof DNS data. It would probably be better from your point of view to require all of your users to use ssh's key-based authentication for remote login. See the ssh-keygen(1) page for details. Nb. don't use the SSH protocol version 1 RSA1 stuff if you can avoid it --- it's pretty much obsolete now and less secure than SSH protocol version 2. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message