Re: [PATCH] UseDNS should default to "no"

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Is it still doing the reverse DNS, and *logging* the result, unless
you use 'sshd -u0'? There's a noticeable difference between doing a
reverse DNS for mere logging purposes, which can  be very burdensome
in some high performance situations where you don't control external
NAT reverse DNS space, and *verifying* that the reverse DNS matches.

For various performance reasons when managing hundreds or thousands of
servers from a single SSH *push* host, I wound up setting their init
scripts to use 'sshd -u0'. That trick dates back to..... 2000, for me.

On Tue, Nov 11, 2014 at 10:09 PM, Daniel Kahn Gillmor
<dkg@xxxxxxxxxxxxxxxxx> wrote:
> In the dnsop (DNS Operations) working group at the IETF meeting today,
> there was a strong sense in the room that OpenSSH's sshd should not be
> checking reverse DNS of clients during connection by default, since it
> provides no real security benefit.
>
> This patch changes the default for UseDNS from "yes" to "no".
> ---
>  servconf.c    | 2 +-
>  sshd_config   | 2 +-
>  sshd_config.5 | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/servconf.c b/servconf.c
> index b317e9c..93ea0cf 100644
> --- a/servconf.c
> +++ b/servconf.c
> @@ -290,7 +290,7 @@ fill_default_server_options(ServerOptions *options)
>         if (options->max_sessions == -1)
>                 options->max_sessions = DEFAULT_SESSIONS_MAX;
>         if (options->use_dns == -1)
> -               options->use_dns = 1;
> +               options->use_dns = 0;
>         if (options->client_alive_interval == -1)
>                 options->client_alive_interval = 0;
>         if (options->client_alive_count_max == -1)
> diff --git a/sshd_config b/sshd_config
> index e9045bc..9ac96f3 100644
> --- a/sshd_config
> +++ b/sshd_config
> @@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox              # Default for new installations.
>  #Compression delayed
>  #ClientAliveInterval 0
>  #ClientAliveCountMax 3
> -#UseDNS yes
> +#UseDNS no
>  #PidFile /var/run/sshd.pid
>  #MaxStartups 10:30:100
>  #PermitTunnel no
> diff --git a/sshd_config.5 b/sshd_config.5
> index 43cc826..93cd581 100644
> --- a/sshd_config.5
> +++ b/sshd_config.5
> @@ -1304,7 +1304,7 @@ should look up the remote host name and check that
>  the resolved host name for the remote IP address maps back to the
>  very same IP address.
>  The default is
> -.Dq yes .
> +.Dq no .
>  .It Cm UseLogin
>  Specifies whether
>  .Xr login 1
> --
> 2.1.1
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux