On Tue, Apr 02, 2024 at 03:31:49PM +0200, Daan De Meyer wrote: > When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 > socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then > set as the value of PAM_RHOST, causing pam to try to do a reverse DNS > query of "UNKNOWN", which times out multiple times, causing a > substantial slowdown when logging in. > > To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". I suspect this might also allow removing an ugly workaround from Debian's regression test harness: https://salsa.debian.org/ssh-team/openssh/-/blob/647f33f8b6/debian/tests/regress#L69-78 (We specifically arrange to run the regression tests with "UsePAM yes" because that's how our packages are configured by default, and that changes enough things that it's worth testing.) -- Colin Watson (he/him) [cjwatson@xxxxxxxxxx] _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
