Silencing pointless reverse DNS warnings from OpenSSH

If you’ve been using SSH for long you’ve probably seen this at least once: Address maps to, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sometimes this is helpful. Sometimes this is really annoying and incorrect. Assuming you are a moderately well informed sysadmin and know that this message can safely be ignored, you might have been stumped trying to silence it. You may have tried every option in man ssh_options and even some of your own ( STFU on?) I think I may be able to help.

First, let’s make sure we understand the situation. OpenSSH is trying to protect you from an exploit. If you are connecting via SSH to for the first time, you may be vulnerable to a man in the middle attack. If the forward and reverse DNS don’t match, that might be a sign that this sort of attack is being attempted.

If you’re sure you know what you’re doing, though, and your OpenSSH client is warning you about a situation that you already know about, then try the SSH option:

(I figured this out by using the -vv option to the SSH command line client. It says Next authentication method: gssapi-with-mic right before the error.)

In my case the client and server are already acquainted via mutual public key exchange (client has known_hosts for the server, and server has authorized_keys for the client) so whether or not the DNS entries look hinky is immaterial. I’m in the process of migrating from one hosting environment to another so I can’t “fix” the DNS situation for another couple of weeks. Meanwhile I’m getting these warnings every hour in an email to root, which is annoying, as it currently forwards to me. And since I’m not using GSSAPI, turning it off is fine also.

Please do make sure you know that your situation is secure before disabling warnings like this. OK now I’ve said it enough times, make the annoying warnings go away.

5 thoughts on “Silencing pointless reverse DNS warnings from OpenSSH”

  1. Thank you thank you thank you thank you thank you.

    We routinely ssh to systems hosted by a provider that is notoriously bad about maintaining proper PTR records, so I’m accustomed to seeing the POSSIBLE BREAK-IN ATTEMPT! messages every time I login. There isn’t much point in having the provider fix the way the systems are listed in DNS because we’re the only people that access these systems in this manner. We have scripts that access multiple systems in an automated fashion and provide information. The POSSIBLE BREAK-IN ATTEMPT messages really mess up the way the information is presented. We could use 2> /dev/null, of course, but this (turning off GSSAPIAuthentication) is a better way to do it.

Leave a Reply

Your email address will not be published. Required fields are marked *