Re: [DNSOP] OpenSSH 6.8 will default UseDNS to no

2015-02-20 Thread John Kristoff 
On Fri, 20 Feb 2015 14:12:50 -0500
Daniel Kahn Gillmor d...@fifthhorseman.net wrote:

 If there are other instances of popular software that does
 unreasonable or unsafe things with the DNS by default,

I think it is worth noting, again, all OpenSSH does when UseDNS is
enabled is a log a message when it detects a connecting client's
address and the associated name, if any, do not match.

The 'POSSIBLE BREAK-IN ATTEMPT!' string is still part of log message
generated in those mismatch cases when UseDNS is enabled (see
canohost.c).  So the on/off button was set to a different default, but
the spirit of your unreasonable and unsafe campaign missed affecting
change onto a key part of the code.  Perhaps you could follow up and
advocate a change for that as well?

 If there are other instances of popular software that does
 unreasonable or unsafe things with the DNS by default,

It may be reasonable to advocate that the OpenSSH UseDNS option be
disabled by default, but one might ask then, when is it reasonable and
safe to use PTR queries and in-addr.arpa/ip6.arpa.  Hello, rat hole.

John

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] OpenSSH 6.8 will default UseDNS to no

2015-02-20 Thread Paul Wouters 

On Fri, 20 Feb 2015, Daniel Kahn Gillmor wrote:


I reported that discussion to the OpenSSH development mailing list.  The
next version of OpenSSH (v6.8) is now set to be released with the
following change:

* sshd(8): UseDNS now defaults to 'no'. Configurations that match
  against the client host name (via sshd_config or authorized_keys)
  may need to re-enable it or convert to matching against addresses.

 http://marc.info/?l=openssh-unix-devm=142438449111563w=2

If there are other instances of popular software that does unreasonable
or unsafe things with the DNS by default, please reach out to the


I have an issue with openssh :)

For 5+ years I've been trying to get them to use VerifyHostKeyDNS ask
in /etc/ssh/ssh_config :P

Sadly the fedora/rhel maintainer isn't willing to change it from the
default upstream.

Paul

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop