Jeremy Volkening
2017-07-04 04:20:01 UTC
Package: release-notes
Severity: important
Dear Maintainer,
The version of OpenSSH server shipping with stretch has a new default
for "UseDNS" which can cause major issues with configurations utilizing
hostname matching. This should be mentioned in the stretch release notes
as it was, for instance, in the Ubuntu Xenial release:
https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#OpenSSH
Further details follow.
After upgrading a headless server from jessie to stretch, I was unable
to log in via SSH. I was eventually able to track this down to the issue
linked above and the fact that I was using the pam_access module along
with hostnames as part of authentication. With the new "UseDNS" default
of "no", the IP addresses were not being reverse resolved to hostnames
and the pam_access rule failed, preventing login. Explicitly adding
"UseDNS yes" to "sshd_config" changed the behavior to the previous
default and restored expected functionality.
The first place I looked when encountering this problem was the stretch
release notes and I believe the change should be mentioned there.
Regards,
Jeremy
-- System Information:
Debian Release: 8.8
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Severity: important
Dear Maintainer,
The version of OpenSSH server shipping with stretch has a new default
for "UseDNS" which can cause major issues with configurations utilizing
hostname matching. This should be mentioned in the stretch release notes
as it was, for instance, in the Ubuntu Xenial release:
https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#OpenSSH
Further details follow.
After upgrading a headless server from jessie to stretch, I was unable
to log in via SSH. I was eventually able to track this down to the issue
linked above and the fact that I was using the pam_access module along
with hostnames as part of authentication. With the new "UseDNS" default
of "no", the IP addresses were not being reverse resolved to hostnames
and the pam_access rule failed, preventing login. Explicitly adding
"UseDNS yes" to "sshd_config" changed the behavior to the previous
default and restored expected functionality.
The first place I looked when encountering this problem was the stretch
release notes and I believe the change should be mentioned there.
Regards,
Jeremy
-- System Information:
Debian Release: 8.8
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)