1 |
On Wednesday 28 November 2007, Dale wrote: |
2 |
|
3 |
> Billy Holmes wrote: |
4 |
> > |
5 |
> > that's what the REMOTE machine will do after you connect to it, but |
6 |
> > before you get a prompt. This can (normally) be configured on an |
7 |
> > application basis to not do it. |
8 |
> |
9 |
> OK. I read most of it, what I could get a grip on anyway. Basically |
10 |
> it looks to see if that IP address has a name too. Sort of silly but, |
11 |
> whatever works I guess. |
12 |
|
13 |
It does not stop there. It's usually used to prevent spoofing. |
14 |
|
15 |
The complete process is more or less as follows: suppose you connect with |
16 |
a spoofed IP address, then the remote end will do the reverse lookup to |
17 |
find out your dns name, do a forward lookup with the name it just found, |
18 |
and see if the resulting IP is the one you are connecting from. |
19 |
|
20 |
From man sshd_config: |
21 |
|
22 |
UseDNS Specifies whether sshd(8) should look up the remote host name |
23 |
and check that the resolved host name for the remote IP address |
24 |
maps back to the very same IP address. The default is ``yes''. |
25 |
-- |
26 |
gentoo-user@g.o mailing list |