On 27.12.2013 14:52, Dan Mahoney, System Admin wrote: > On Thu, 26 Dec 2013, Dan Kaminsky wrote: > >> The deal is that IP addresses are useless, host names are useful , but host name spoofing is actually a real thing that real attackers do. So, either you don't log, you log hacker controlled data, or you UseDNS. OpenSSH, optimizing for security, chooses the last of these options. > > I think the point here is that there's no option for openSSH to then *drop > the connection* or refuse it. OpenSSH *checks*, but does not > *enforce* anything. Sendmail will refuse to relay if my forward and > reverse DNS don't match. If I have an Allow From *.example.edu in > my apache config, apache requires them both to match or it won't > let me in. OpenSSH will clutter my logs and do nothing else Refusing such connections makes perfect sense in unauthenticated SMTP. Doing so will get rid of a large fraction of spam, with virtually no false positives. It makes no sense in SSH. You'd never want to refuse a connection which has the correct password or key just because it came from an IP address that doesn't have reversible DNS. This WHOLE THING IS MISFEATURE that shouldn't exist in the code, let alone be turned on by default. There is no reason for ssh to "use DNS" except in the client to resolve server addresses. Using DNS wastes TIME when you're logging in, creating a useless pause (which can be long if there is some DNS issue). LOOK AT THE GOOGLE SEARCH FOR "SLOW SSH LOGIN" [1].?Countless people have been bitten by long pauses when trying to log in to a server, and the culprit is the DNS lookup. I don't want to read manuals in order to discover software misfeatures and turn them off. Default configurations should be high-performing, secure, and free of misfeatures. Links: ------ [1] https://www.google.ca/search?q=slow+ssh+login