| 1 |
On Wednesday 28 November 2007, Dale wrote: |
| 2 |
|
| 3 |
> Billy Holmes wrote: |
| 4 |
> > |
| 5 |
> > that's what the REMOTE machine will do after you connect to it, but |
| 6 |
> > before you get a prompt. This can (normally) be configured on an |
| 7 |
> > application basis to not do it. |
| 8 |
> |
| 9 |
> OK. I read most of it, what I could get a grip on anyway. Basically |
| 10 |
> it looks to see if that IP address has a name too. Sort of silly but, |
| 11 |
> whatever works I guess. |
| 12 |
|
| 13 |
It does not stop there. It's usually used to prevent spoofing. |
| 14 |
|
| 15 |
The complete process is more or less as follows: suppose you connect with |
| 16 |
a spoofed IP address, then the remote end will do the reverse lookup to |
| 17 |
find out your dns name, do a forward lookup with the name it just found, |
| 18 |
and see if the resulting IP is the one you are connecting from. |
| 19 |
|
| 20 |
From man sshd_config: |
| 21 |
|
| 22 |
UseDNS Specifies whether sshd(8) should look up the remote host name |
| 23 |
and check that the resolved host name for the remote IP address |
| 24 |
maps back to the very same IP address. The default is ``yes''. |
| 25 |
-- |
| 26 |
gentoo-user@g.o mailing list |
Archives