[Bug 549] Login Delay / Remove unwanted reverse map check

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue May 6 10:41:36 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=549





------- Additional Comments From devin.nate at bridgecomm.net  2003-05-06 10:41 -------
I don't think (I could be wrong, I certainly haven't checked all the code), that
disabling DNS will automatically break all the OpenSSH components that would
like to have a hostname. Instead, my suspicion is that you'll need to use the ip
address(es) in place of the hostname(s). In fact, I just tested USER at IP.IP.IP.IP
and that worked as predicted. (i.e. allowed me in when I had the right IP
address, disallowed me when I came from a non-permitted IP address). My sshd is
patched to never do the DNS lookup.

I consider using IP addresses instead of hostnames a feature. An item in the
config file, similar to "VerifyReverseMapping" might be appropriate:

ReverseMapIPAddresses [ yes(default)|no ]  (for ssh_config and sshd_config)

I realize that the Internet continues to struggle with hostnames vs ip
addresses. How many firewall admins wouldn't want to do something like "DENY
pornsite.com", or "DENY spamsite.net" and get all the potential IP addresses and
be done with it. And yet, DNS based access controls haven't taken off.

Many other network daemons let you disable DNS. I realize a security server
isn't quite the same as your favorite smtp, http, or ftp server - however,
especially given our environment here, and what I suspect many users of OpenSSH
have, I don't see DNS records being needed very often. I guess another way to
look at this is with a config option to stop OpenSSH from using the hostname in
ACLs (and therefore not performing DNS lookups), and instead use the IP address
only.

Thanks,
Devin Nate



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-unix-dev mailing list