[Bug 549] Login Delay / Remove unwanted reverse map check

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Apr 27 08:34:34 EST 2003 

http://bugzilla.mindrot.org/show_bug.cgi?id=549

           Summary: Login Delay / Remove unwanted reverse map check
           Product: Portable OpenSSH
           Version: 3.5p1
          Platform: PPC
        OS/Version: AIX
            Status: NEW
          Severity: normal
          Priority: P3
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: devin.nate at bridgecomm.net


OpenSSH compiled and working well on AIX 4.3.3 and 5.1.

When some users go to connect using a ssh client, they experience a 60-90 second
delay. Basic examination reveals that it's the ip->host reverse map. Further
investigation reveals the code in canohost.c:

        debug3("Trying to reverse map address %.100s.", ntop);
        /* Map the IP address to a host name. */
        if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
            NULL, 0, NI_NAMEREQD) != 0) {
                /* Host name not found.  Use ip address. */
#if 0
                log("Could not reverse map address %.100s.", ntop);
#endif
                return xstrdup(ntop);
        }

If the reverse lookup fails, it resorts to the IP address. Ideally, a person
could configure ssh to never do a reverse lookup.

sshd is running, via inittab:
     sshd:2:respawn:/usr/local/sbin/sshd -Du0

Documentation suggests that the option -u0 causes sshd not to do a lookup, but
this is not true (i.e. no if statement surrounding that block of code that would
indicated -u0 will stop the lookup), and experience shows that users are still
getting hung up on a reverse lookup in some situations.

I've created a mini patch to bypass the check, which basically amounts to:

#ifdef DISABLE_REVERSE_MAP
        /* Don't search for hostname. Use ip address */
        debug3("Skipping reverse map of address.");
        return xstrdup(ntop);
#endif
..original canohost.c lookup code.

I am happy to submit my patches, or, would like to see either a *_config option
and or a ./configure --disable-reverse-map type option to absolutely stop DNS
lookups.

Thanks



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list