What's the point of UseDNS?

Anthony Iliopoulos ailiop at lsu.edu
Sun Aug 22 00:40:14 EST 2010


On Sat, Aug 21, 2010 at 04:32:43AM -0400, Dan Mahoney, System Admin wrote:
> According to the manpage:
> 
> UseDNS Specifies whether sshd should look up the remote host name
> and check that the resolved host name for the remote IP address maps
> back to the very same IP address.  The default is ``yes''.
> 
> Thing is, while sshd *checks*, this doesn't actually control whether
> or not the client is allowed to connect, it seems at most to be an
> option that causes additional logging.

It is leveraged by hostbased-authentication, and rhosts-based
authentication methods. See auth-rhosts.c:auth_rhosts2_raw()
and auth2-hostbased.c:hostbased_key_allowed.

> Is there some option that actually lets me control connection based
> on this?  Perhaps display a message to the connecting host as to the
> problem?

No, not really, and there is no need not rely on dns-based
security checks, unless you are on an environment with the 
requirement to use any of the aforementioned authentication
methods. You might be thinking DNSSEC assurance here, but
still that would be superfluous on other kinds of authentication
methods except rhosts-based ones.

For all other cases, I believe it can be safely turned off,
logging should be based on IP and and not DNS names, that
can be later post-processed if name resolution is required.

Regards,
Anthony


More information about the openssh-unix-dev mailing list