paul> Actually, distros try to use a dir.d/*.conf type structure these paul> days for exactly this reason. It allows base options that are paul> untouched to be upgraded even if there are custom user paul> options. openssn is one of those that unfortunately does not paul> support that.
Thanks for the correction/clarification. paul> Distros tend to stick to upstream options. So for example if you paul> want this changed in fedora/rhel, you will need to talk to openssh paul> because according to their man page (for openssh-6.4p1-5): paul> UseDNS Specifies whether sshd(8) should look up the remote paul> host name and check that the resolved host name for the paul> remote IP address maps back to the very same IP address. The paul> default is "yes". paul> ps. if you talk to them, please also get them to change the paul> default for VerifyHostKeyDNS= to "ask". I can ask... But I'm also finding various "best practice" websites recommending turning on VerifyReverseMapping. Seeing shades of augean stables... _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
