[PATCH] UseDNS should default to "no"

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



In the dnsop (DNS Operations) working group at the IETF meeting today,
there was a strong sense in the room that OpenSSH's sshd should not be
checking reverse DNS of clients during connection by default, since it
provides no real security benefit.

This patch changes the default for UseDNS from "yes" to "no".
---
 servconf.c    | 2 +-
 sshd_config   | 2 +-
 sshd_config.5 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/servconf.c b/servconf.c
index b317e9c..93ea0cf 100644
--- a/servconf.c
+++ b/servconf.c
@@ -290,7 +290,7 @@ fill_default_server_options(ServerOptions *options)
 	if (options->max_sessions == -1)
 		options->max_sessions = DEFAULT_SESSIONS_MAX;
 	if (options->use_dns == -1)
-		options->use_dns = 1;
+		options->use_dns = 0;
 	if (options->client_alive_interval == -1)
 		options->client_alive_interval = 0;
 	if (options->client_alive_count_max == -1)
diff --git a/sshd_config b/sshd_config
index e9045bc..9ac96f3 100644
--- a/sshd_config
+++ b/sshd_config
@@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
-#UseDNS yes
+#UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
diff --git a/sshd_config.5 b/sshd_config.5
index 43cc826..93cd581 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1304,7 +1304,7 @@ should look up the remote host name and check that
 the resolved host name for the remote IP address maps back to the
 very same IP address.
 The default is
-.Dq yes .
+.Dq no .
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
-- 
2.1.1

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux