On Wed, Jan 15, 2003 at 03:59:20PM +, Rus Foster wrote:
> Hi All,
> Basically a two fold question.
>
> 1) How do I force sshd to do a reverse DNS lookup and deny the connection
> if it fails?
See sshd_config(5) --- the VerifyReverseMapping option looks like what
you need.
Alternately check the hosts_options(5) man page, and look at the usage
of 'PARANOID' in the default /etc/hosts.allow file. ssh(1)
incorporates the tcpd functionality by default on FreeBSD.
> 2) I run a public shell account server. Do you think I'm asking for
> trouble by turning the option on?
In the sense of having loads of your users whining at you? Probably.
A number of ISPs are fairly clueless about making sure their dialups
or ADSL customers have proper inverse entries in the DNS. I'm not
sure that it's really going to add all that much to your security,
unless you use HostbasedAuthentication. Of course, if you do that,
then you're pretty much S.O.L. security-wise, whatever you do. Until
and unless the worldwide DNS implements some sort of cryptographically
strong authentication mechanism, it will remain way too easy to spoof
DNS data.
It would probably be better from your point of view to require all of
your users to use ssh's key-based authentication for remote login.
See the ssh-keygen(1) page for details. Nb. don't use the SSH
protocol version 1 RSA1 stuff if you can avoid it --- it's pretty much
obsolete now and less secure than SSH protocol version 2.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
