On Fri, Aug 21, 2015 at 6:45 PM, Ángel González <keisial@xxxxxxxxx> wrote: > On 17/08/15 11:36, ricky wrote: >> >> I think this is probably my first post to this mailing list, so hello! >> >> Occasionally I log in to my servers from IP addresses without reverse DNS >> configured, so sometimes I'll see an IP I don't recognise because I can't >> remember what I did the day before and get a bit spooked until I WHOIS the >> IP and find the netname reminds me I logged in from that IP. >> >> I set out prepared to script it, but I understand that the reporting of >> failed/last logins is only really configurable at source, so instead of >> submitting a hilarious poorly coded patch from which I receive numerous >> critique and ridicule, I figured I'd just submit the idea/use-case and hope >> that at least one of you think it might be a nice idea. Even if I were to be >> able to submit openssh patches with code that is not awful, I think it >> sensible to check to see if you'd be prepared to accept such a patch in the >> first place anyway. >> >> Regards, >> Ricky Burgin > > Welcome Ricky, > > Don't worry, we wouldn't treat you that bad :) > > I'm not sure if the (optional) change you propose should happen at ssh > before sending to syslog, or rather by a wrapper showing the IPs. In the > former case, I don't think you should put whois search code into openssh, > but allow it to run an external program which would fetch the additional > data. > You are interested in netname, but someone else may just be interested in > the country and another in the AS. If I may suggest, it doesn't sound like a good idea to put it in the OpenSSH at all. If DNS behavior is failing or not fully configured, configure DNS more fully. or acknowledge that it's not able to be fixed. In many environments, frankly, it's not fixable: the reverse DNS is administered by different people than the forward DNS and there are other environments with dynamic DNS where reverse DNS is never expired, and reverse DNS has multiple entries and is a nightmare. This really looks like a log analysis problem to sanitize bad DNS: trying to sanitize incomplete or bad DNS in OpenSSH processing, before the connection is even established, sounds like a really, really deep rathole. A post-analysis tools for logs sounds potentially much more useful for environments where, for performance and configuration reasons, the reverse DNS is turned off *entirely* by using the "sshd -u0" option. I've certainly seen this done in worldwide, distributed networks with CNAME or multiple A record named hosts where the reverse DNS cannot be relied on, and the lengthy timeouts of non-existent reverse DNS lookups caused very real performance problems. > Also I wouldn't be surprised if doing that reliably turns out to be quite > complex (differences between rirs, several netnames, ips with no netname at > all…) even though the initial assumption would be simply: > whois $ip | grep -i ^netname: > > Best regards It's an unstable and potentially confusing modification of a long stable bit of code. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev