Re: Openssh-portable
From: Darren Pilgrim (dmp@pantherdragon.org)
Date: 07/26/02
- Next message: Kevin Steves: "Re: Openssh-portable"
- Previous message: Dag-Erling Smorgrav: "Re: openssh-portable again"
- In reply to: Travis L. Leuthauser: "RE: Openssh-portable"
- Next in thread: Kevin Steves: "Re: Openssh-portable"
- Reply: Kevin Steves: "Re: Openssh-portable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Jul 2002 17:02:46 -0700 From: Darren Pilgrim <dmp@pantherdragon.org> To: "Travis L. Leuthauser" <travis@bbipmail.com>
"Travis L. Leuthauser" wrote:
>
> As I understand, this is a known problem with openssh-portable when using
> privsep. Apparently after initiating privsep, sshd attempts to read
> /etc/resolv.conf, which it can't since chrooted to /var/empty. A workaround
> is to copy resolv.conf into /var/empty/etc. The only problem w/ this is
> that /var/empty is intented to be empty.
Or you can just put "VerifyReverseMapping no" in your sshd_config.
Relying on DNS consistency for any sort of client verification has
never seemed all that great of an idea to me. There are far too many
third parties, far too many poorly-managed zonefiles, and it is far
too easy to spoof, poison, and trash the DNS for it to be useful for
this purpose.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Kevin Steves: "Re: Openssh-portable"
- Previous message: Dag-Erling Smorgrav: "Re: openssh-portable again"
- In reply to: Travis L. Leuthauser: "RE: Openssh-portable"
- Next in thread: Kevin Steves: "Re: Openssh-portable"
- Reply: Kevin Steves: "Re: Openssh-portable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
