"reverse mapping checking getaddrinfo" and "POSSIBLE BREAK-IN ATTEMPT" error messages via SSH

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (All Releases)
  • SSH client
  • sshd Secure Shell Daemon

Issue

  • reverse mapping checking getaddrinfo and POSSIBLE BREAK-IN ATTEMPT error messages via SSH
  • SSH from client to server produces the following results:
$ ssh hostname
reverse mapping checking getaddrinfo for client.example.com [10.0.0.1] failed - POSSIBLE BREAK-IN ATTEMPT!
username@hostname password: 

Resolution

There are several ways to resolve this issue:

  • Setup a Reverse DNS Record (aka PTR Record) for the SSH client.
  • Ensure UseDNS no and GSSAPIAuthentication no are set in /etc/ssh/sshd_config on the SSH server, then restart the sshd.
  • Confirm that /etc/hosts on the SSH server has an entry for the SSH client IP address and hostname.

Root Cause

  • There is (most likely) no "attack" occurring when this message is displayed.
  • The SSH client's Reverse DNS (PTR) Record does not match the hostname which the client uses to identify itself.
  • This may be because there is no Reverse DNS Record, or the Reverse DNS record is different.
  • These messages are common, especially for public internet connections where the SSH client does not have any control over its Reverse DNS Record.
  • If the SSH server's /etc/hosts file contains a different IP address or hostname for the SSH client, this difference in lookup can occur in the SSHD without any external DNS query. The order of lookup depends on the hosts entry in /etc/nsswitch.conf.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments