Unwanted reverse mapping of ip addresses
Aaron Bostick
abostick at mydoconline.com
Fri Feb 28 04:57:35 EST 2003
Hi SSH developers,
I am wondering if someone could help explain a behavior of sshd. From
canohost.c, get_remote_hostname(), it seems sshd will always try to
reverse lookup the ip address of any client that attaches to it.
The verify_reverse_mapping flag just turns off the forward lookup
through DNS of the clients hostname, once the hostname has been
determined.
I am using Solaris 8 with ssh 3.4p1, and this piece of code:
debug3("Trying to reverse map address %.100s.", ntop);
/* Map the IP address to a host name. */
if (getnameinfo((struct sockaddr *)&from, fromlen, name,
sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
log("Could not reverse map address %.100s.", ntop);
return xstrdup(ntop);
takes like 30 to 60 seconds to run if you have dns listed in your
nsswitch.conf, which in many cases is needed.
My question is, is this really necessary? Couldn't the
verify_reverse_mapping flag turn off the above code as well? I compiled
my own daemon to do so and my ssh prompt comes up immediately now with
DNS turned on.
I have read elsewhere that this may be a problem with a broken arp on
solaris, but even on my mandrake 8.2 linux box, the sshd takes 5 to 10
seconds to run through this code before I get a login prompt?
Is there any reason not to make this conditional on the
verify_reverse_mapping flag or perhaps a flag of its own in sshd_config?
Thanks a bunch for the help and please CC me on any reply as I do not
subscribe to this list.
--
Aaron Bostick
Sr Network Architect
CISSP #21728, CCIE #7988
Mydoconline.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030227/14a69731/attachment.bin
More information about the openssh-unix-dev
mailing list