[OmniOS-discuss] OpenSSH and reverse DNS
Dan McDonald
danmcd at omniti.com
Tue Nov 29 15:52:25 UTC 2016
> On Nov 29, 2016, at 6:50 AM, Lauri Tirkkonen <lotheac at iki.fi> wrote:
>
> On Tue, Nov 29 2016 13:30:17 +0200, Lauri Tirkkonen wrote:
>> On Tue, Nov 29 2016 10:47:10 +0100, Olaf Marzocchi wrote:
>>> Dear all,
>>> Since I upgraded to OpenSSH I have the following problem with DNS:
>>> reverse mapping checking getaddrinfo for hostxxx.retail.telecomitalia.it [_ip_] failed - POSSIBLE BREAK-IN ATTEMPT!
>
> Another interesting thing to note is that this particular log message
> was changed in 7.3:
> https://github.com/openssh/openssh-portable/commit/e690fe85750e93fca1fb7c7c8587d4130a4f7aba
>
> So it actually may be the *client* that is calling
> get_canonical_hostname (which is strange, because only sshd should be
> doing that). And so it is:
> https://github.com/omniti-labs/omnios-build/blob/master/build/openssh/patches/0015-GSS-API-key-exchange-support.patch#L1652
>
> The culprit is thus the GSSAPI patch (which I personally don't even
> agree with, but oh well). I think the option you need to disable in the
> client's ssh_config is GSSAPIKeyExchange.
That GSSAPI patch is there for people who needed it with SunSSH.
If the patch is problematic, it should be fixed. The illumos community is a good place to discuss this, even if the patch isn't part of illumos per se.
Dan
More information about the OmniOS-discuss
mailing list