On Wed, Jan 15, 2003 at 03:59:20PM +0000, Rus Foster wrote: > Hi All, > Basically a two fold question. > > 1) How do I force sshd to do a reverse DNS lookup and deny the connection > if it fails?
See sshd_config(5) --- the VerifyReverseMapping option looks like what you need. Alternately check the hosts_options(5) man page, and look at the usage of 'PARANOID' in the default /etc/hosts.allow file. ssh(1) incorporates the tcpd functionality by default on FreeBSD. > 2) I run a public shell account server. Do you think I'm asking for > trouble by turning the option on? In the sense of having loads of your users whining at you? Probably. A number of ISPs are fairly clueless about making sure their dialups or ADSL customers have proper inverse entries in the DNS. I'm not sure that it's really going to add all that much to your security, unless you use HostbasedAuthentication. Of course, if you do that, then you're pretty much S.O.L. security-wise, whatever you do. Until and unless the worldwide DNS implements some sort of cryptographically strong authentication mechanism, it will remain way too easy to spoof DNS data. It would probably be better from your point of view to require all of your users to use ssh's key-based authentication for remote login. See the ssh-keygen(1) page for details. Nb. don't use the SSH protocol version 1 RSA1 stuff if you can avoid it --- it's pretty much obsolete now and less secure than SSH protocol version 2. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message