In the dnsop (DNS Operations) working group at the IETF meeting today, there was a strong sense in the room that OpenSSH's sshd should not be checking reverse DNS of clients during connection by default, since it provides no real security benefit. This patch changes the default for UseDNS from "yes" to "no". --- servconf.c | 2 +- sshd_config | 2 +- sshd_config.5 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/servconf.c b/servconf.c index b317e9c..93ea0cf 100644 --- a/servconf.c +++ b/servconf.c @@ -290,7 +290,7 @@ fill_default_server_options(ServerOptions *options) if (options->max_sessions == -1) options->max_sessions = DEFAULT_SESSIONS_MAX; if (options->use_dns == -1) - options->use_dns = 1; + options->use_dns = 0; if (options->client_alive_interval == -1) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) diff --git a/sshd_config b/sshd_config index e9045bc..9ac96f3 100644 --- a/sshd_config +++ b/sshd_config @@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox # Default for new installations. #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 -#UseDNS yes +#UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no diff --git a/sshd_config.5 b/sshd_config.5 index 43cc826..93cd581 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1304,7 +1304,7 @@ should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is -.Dq yes . +.Dq no . .It Cm UseLogin Specifies whether .Xr login 1 -- 2.1.1 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev