Hi Am 22.07.2018 um 19:44 schrieb Christoph Anton Mitterer: > When libnss-mymachines it automatically adds the respective > entries to /etc/nsswitch.conf and it seems to place > "mymachines" after "dns". > > This is IMO bad (and actually even a security hole), as it would > resolve DNS names before the mymachine names. > > The security hole lies in the fact that people will easily trust > what runs locally in a VM/container, and e.g. not check SSH keys > when connecting to that... however, if dns is resolved first > it could point to any machine on the net. > > > The libnss-mymachines itself suggests: > It is recommended to place "mymachines" after the "files" or "compat" > entry of the /etc/nsswitch.conf lines to make sure that its mappings > are preferred over other resolvers such as DNS, but so that /etc/hosts, > /etc/passwd and /etc/group based mappings take precedence. > > > > Could you please change that and add a NEWS.Debian entry so that > people have the chance to catch up?
Just have a look at - libnss-mymachines should be ordered before resolve https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851314 - libnss-mymachines: Add mymachine module to passwd and group https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825439 - libnss-mymachines: mymachines module shouldn't be inserted after myhostname one https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825438 It's a huge mess. It would be lovely if someone sorted this out and made sure that nss-{resolve,mymachine,myhostname,systemd) are all inserted in the correct order for arbitrary combinations of the packages. A MR would be most welcome! Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pkg-systemd-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
