Re: [PATCH] UseDNS should default to "no"

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 11/11/2014 08:34 PM, Nico Kadel-Garcia wrote:
> Is it still doing the reverse DNS, and *logging* the result, unless
> you use 'sshd -u0'? There's a noticeable difference between doing a
> reverse DNS for mere logging purposes, which can  be very burdensome
> in some high performance situations where you don't control external
> NAT reverse DNS space, and *verifying* that the reverse DNS matches.

hm, i think you're right that it is likely to still be doing the reverse
lookup and logging the information by default, even though it wouldn't
then go ahead and check the forward DNS again.

It's not clear that this offers significant gains either, and it
provides an extra avenue of attack for things like broken local
recursive resolvers, like this bug just reported today against
systemd-resolved:

  http://www.openwall.com/lists/oss-security/2014/11/12/5

> For various performance reasons when managing hundreds or thousands of
> servers from a single SSH *push* host, I wound up setting their init
> scripts to use 'sshd -u0'. That trick dates back to..... 2000, for me.

i can see why that would help.

I kind of think that the default should be -u0 as well, to avoid the
extra codepath exposure, information leakage, and network access by
default. That would have a noticable change in terms of what get stored
in utmp, though.

I'm also slightly concerned that even "sshd -u0" could be subverted (and
sshd made to do network queries remotely) by an end-user adding
from="pattern-list" to their ~/.ssh/authorized_keys file, which could be
an even more serious regression, if people are using named hosts in that
way.

Perhaps a better approach here is to leave UseDNS=yes as the default,
but also default to -u0, and generate a deprecation warning when
encountering any need for DNS while -u0 is set, so that future versions
of openssh can get away with disabling those lookups entirely.

What do other folks think is the right way to improve the default
behavior here?

	--dkg

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux