[Bug 549] Login Delay / Remove unwanted reverse map check

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue May 6 04:31:34 EST 2003 

http://bugzilla.mindrot.org/show_bug.cgi?id=549





------- Additional Comments From devin.nate at bridgecomm.net  2003-05-06 04:31 -------
Hi,

The sshd_config in question includes an AllowUsers line. It does not have any
USER at HOST specified users, only USER,USER,USER,etc. RhostAuthentication is set
to no, RhostRSAAuthentication is set to no, HostbasedAuthentication is default
and therefore set to no, user keyfiles are not used, and no from lines are
specified.

The short answer is, no, according to the documentation we do not have any of
the exceptions that would require a DNS lookup when -u0 is specified.

The longer answer(s):

1a. I wouldn't use a hostname in sshd_config or other security file even if DNS
worked perfectly all of the time. I still wish to disable DNS lookups completely.

1b. OpenSSH already uses an IP address if/when DNS fails. It's not like OpenSSH
guarentees that you'll get a legitimate hostname out of the DNS lookup. The
existing code uses an IP address when the ip->host lookup fails. If you use a
USER at HOST specification, or anything which relies on a hostname... a simple DNS
error will cause OpenSSH to do something else. In some cases, based on what I
understand, OpenSSH may deny a legit user access, in other cases allow a
non-permitted user access.

2. Interestingly, where an IP address causes a specific user a delay, adding it
to /etc/hosts (with /etc/netsvc.conf specifying to use /etc/hosts first), the
first connect proceeds quickly, but if the user enters a bad password a second
DNS lookup is performed, which then takes 60-90 seconds. If the user enters a
password bad a second time, there is no delay. (I didn't care to even figure
this out, since I'd prefer to just diable DNS period - not have /etc/hosts
entries to resolve IPs that customers have that cause DNS problems).

I hope this provides more info. I looked at the patch submitted by Darren
Tucker, seems like an excellent approach also.

Thanks



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list