Summary: | blacklistd not accounting for failed sshd login attempts which failed reverse mapping checking | ||
---|---|---|---|
Product: | Base System | Reporter: | Sebastian Wyder <sw> |
Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
Status: | New --- | ||
Severity: | Affects Some People | CC: | cem, emaste, jlduran, mmpestorich, olevole |
Priority: | --- | ||
Version: | 12.1-RELEASE | ||
Hardware: | amd64 | ||
OS: | Any |
Description
Sebastian Wyder
2019-11-12 15:18:31 UTC
Thanks for the report, I will try to take a look shortly. FreeBSD's default sshd configuration has: UseDNS yes It instructs sshd to look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. In the meantime, a potential workaround, could be to set: UseDNS no which is the default setting upstream. However, only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives. I will, eventually, test the possibility of adding a few BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh"); to auth.c (especially under remote_hostname()). |