On 11/11/2014 08:34 PM, Nico Kadel-Garcia wrote: > Is it still doing the reverse DNS, and *logging* the result, unless > you use 'sshd -u0'? There's a noticeable difference between doing a > reverse DNS for mere logging purposes, which can be very burdensome > in some high performance situations where you don't control external > NAT reverse DNS space, and *verifying* that the reverse DNS matches. hm, i think you're right that it is likely to still be doing the reverse lookup and logging the information by default, even though it wouldn't then go ahead and check the forward DNS again. It's not clear that this offers significant gains either, and it provides an extra avenue of attack for things like broken local recursive resolvers, like this bug just reported today against systemd-resolved: http://www.openwall.com/lists/oss-security/2014/11/12/5 > For various performance reasons when managing hundreds or thousands of > servers from a single SSH *push* host, I wound up setting their init > scripts to use 'sshd -u0'. That trick dates back to..... 2000, for me. i can see why that would help. I kind of think that the default should be -u0 as well, to avoid the extra codepath exposure, information leakage, and network access by default. That would have a noticable change in terms of what get stored in utmp, though. I'm also slightly concerned that even "sshd -u0" could be subverted (and sshd made to do network queries remotely) by an end-user adding from="pattern-list" to their ~/.ssh/authorized_keys file, which could be an even more serious regression, if people are using named hosts in that way. Perhaps a better approach here is to leave UseDNS=yes as the default, but also default to -u0, and generate a deprecation warning when encountering any need for DNS while -u0 is set, so that future versions of openssh can get away with disabling those lookups entirely. What do other folks think is the right way to improve the default behavior here? --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev