[OmniOS-discuss] OpenSSH and reverse DNS

Lauri Tirkkonen lotheac at iki.fi
Tue Nov 29 11:30:17 UTC 2016


On Tue, Nov 29 2016 10:47:10 +0100, Olaf Marzocchi wrote:
> Dear all,
> Since I upgraded to OpenSSH I have the following problem with DNS:
> reverse mapping checking getaddrinfo for hostxxx.retail.telecomitalia.it [_ip_] failed - POSSIBLE BREAK-IN ATTEMPT!
> The remote SSH server has always been OenSSH, the issue appeared when the client (OmniOS) got updated.

Strange - why would the server suddenly start caring about DNS checks if
the client was updated?

> I have no access to the DNS records. I already have a dynamic DNS configured, but the reverse one is out of my reach.
> 
> I found online possible solutions and I described the issue also here without success: http://superuser.com/questions/1149850/how-to-disable-the-message-reverse-mapping-checking-getaddrinfo-for-xxx-failed
>
> "UseDNS no" helped me to be able at least to connect, but still I cannot disable the warning. Since I launch daily rsync backups via cron, I get emails every morning without any real security issue (in my case).

"UseDNS no" sshd option should indeed resolve this -- my reading of
both the manual and code is that it prevents sshd from resolving client
addresses. If you have console access to the server try 'sshd -T | grep
usedns' to see if it actually is using the correct configuration file.

I guess that the sshd you're using could also be doing something weird,
but in stock 7.3p1 remote_hostname is only called from
auth_get_canonical_hostname, which always seems to get options.use_dns
from the caller.

-- 
Lauri Tirkkonen | lotheac @ IRCnet


More information about the OmniOS-discuss mailing list