Is it still doing the reverse DNS, and *logging* the result, unless you use 'sshd -u0'? There's a noticeable difference between doing a reverse DNS for mere logging purposes, which can be very burdensome in some high performance situations where you don't control external NAT reverse DNS space, and *verifying* that the reverse DNS matches. For various performance reasons when managing hundreds or thousands of servers from a single SSH *push* host, I wound up setting their init scripts to use 'sshd -u0'. That trick dates back to..... 2000, for me. On Tue, Nov 11, 2014 at 10:09 PM, Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> wrote: > In the dnsop (DNS Operations) working group at the IETF meeting today, > there was a strong sense in the room that OpenSSH's sshd should not be > checking reverse DNS of clients during connection by default, since it > provides no real security benefit. > > This patch changes the default for UseDNS from "yes" to "no". > --- > servconf.c | 2 +- > sshd_config | 2 +- > sshd_config.5 | 2 +- > 3 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/servconf.c b/servconf.c > index b317e9c..93ea0cf 100644 > --- a/servconf.c > +++ b/servconf.c > @@ -290,7 +290,7 @@ fill_default_server_options(ServerOptions *options) > if (options->max_sessions == -1) > options->max_sessions = DEFAULT_SESSIONS_MAX; > if (options->use_dns == -1) > - options->use_dns = 1; > + options->use_dns = 0; > if (options->client_alive_interval == -1) > options->client_alive_interval = 0; > if (options->client_alive_count_max == -1) > diff --git a/sshd_config b/sshd_config > index e9045bc..9ac96f3 100644 > --- a/sshd_config > +++ b/sshd_config > @@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox # Default for new installations. > #Compression delayed > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > -#UseDNS yes > +#UseDNS no > #PidFile /var/run/sshd.pid > #MaxStartups 10:30:100 > #PermitTunnel no > diff --git a/sshd_config.5 b/sshd_config.5 > index 43cc826..93cd581 100644 > --- a/sshd_config.5 > +++ b/sshd_config.5 > @@ -1304,7 +1304,7 @@ should look up the remote host name and check that > the resolved host name for the remote IP address maps back to the > very same IP address. > The default is > -.Dq yes . > +.Dq no . > .It Cm UseLogin > Specifies whether > .Xr login 1 > -- > 2.1.1 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
