Nicolas Williams wrote: > On Fri, Oct 31, 2008 at 12:09:11PM -0400, Kyle McDonald wrote:
> VerifyReverseMapping > > Specifies whether sshd should try to verify the remote > host name and check that the resolved host name for the > remote IP address maps back to the very same IP address. > (A yes setting means "verify".) Setting this parameter > to no can be useful where DNS servers might be down and > thus cause sshd to spend much time trying to resolve the > client's IP address to a name. This feature is useful > for Internet-facing servers. The default is no. I like the option. It should default "no" as it does. I think there ought to be more warning of the risks associated with "yes". Kerberos is generally trying to move away from DNS dependencies like this because it allows a DOS attack (at least). The latest (non-Sun anyway) SSH/gssapi/keyex patches added an option for disabling DNS name canonicalization. While this option does not apply to Kerberos, I think the experience is applicable. -- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
