[PATCH] UseDNS should default to "no"
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Nov 12 14:09:12 EST 2014
In the dnsop (DNS Operations) working group at the IETF meeting today,
there was a strong sense in the room that OpenSSH's sshd should not be
checking reverse DNS of clients during connection by default, since it
provides no real security benefit.
This patch changes the default for UseDNS from "yes" to "no".
---
servconf.c | 2 +-
sshd_config | 2 +-
sshd_config.5 | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/servconf.c b/servconf.c
index b317e9c..93ea0cf 100644
--- a/servconf.c
+++ b/servconf.c
@@ -290,7 +290,7 @@ fill_default_server_options(ServerOptions *options)
if (options->max_sessions == -1)
options->max_sessions = DEFAULT_SESSIONS_MAX;
if (options->use_dns == -1)
- options->use_dns = 1;
+ options->use_dns = 0;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
diff --git a/sshd_config b/sshd_config
index e9045bc..9ac96f3 100644
--- a/sshd_config
+++ b/sshd_config
@@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
-#UseDNS yes
+#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
diff --git a/sshd_config.5 b/sshd_config.5
index 43cc826..93cd581 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1304,7 +1304,7 @@ should look up the remote host name and check that
the resolved host name for the remote IP address maps back to the
very same IP address.
The default is
-.Dq yes .
+.Dq no .
.It Cm UseLogin
Specifies whether
.Xr login 1
--
2.1.1
More information about the openssh-unix-dev
mailing list