[PATCH] UseDNS should default to "no"

Nico Kadel-Garcia nkadel at gmail.com
Wed Nov 12 17:34:55 EST 2014


Is it still doing the reverse DNS, and *logging* the result, unless
you use 'sshd -u0'? There's a noticeable difference between doing a
reverse DNS for mere logging purposes, which can  be very burdensome
in some high performance situations where you don't control external
NAT reverse DNS space, and *verifying* that the reverse DNS matches.

For various performance reasons when managing hundreds or thousands of
servers from a single SSH *push* host, I wound up setting their init
scripts to use 'sshd -u0'. That trick dates back to..... 2000, for me.

On Tue, Nov 11, 2014 at 10:09 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> In the dnsop (DNS Operations) working group at the IETF meeting today,
> there was a strong sense in the room that OpenSSH's sshd should not be
> checking reverse DNS of clients during connection by default, since it
> provides no real security benefit.
>
> This patch changes the default for UseDNS from "yes" to "no".
> ---
>  servconf.c    | 2 +-
>  sshd_config   | 2 +-
>  sshd_config.5 | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/servconf.c b/servconf.c
> index b317e9c..93ea0cf 100644
> --- a/servconf.c
> +++ b/servconf.c
> @@ -290,7 +290,7 @@ fill_default_server_options(ServerOptions *options)
>         if (options->max_sessions == -1)
>                 options->max_sessions = DEFAULT_SESSIONS_MAX;
>         if (options->use_dns == -1)
> -               options->use_dns = 1;
> +               options->use_dns = 0;
>         if (options->client_alive_interval == -1)
>                 options->client_alive_interval = 0;
>         if (options->client_alive_count_max == -1)
> diff --git a/sshd_config b/sshd_config
> index e9045bc..9ac96f3 100644
> --- a/sshd_config
> +++ b/sshd_config
> @@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox              # Default for new installations.
>  #Compression delayed
>  #ClientAliveInterval 0
>  #ClientAliveCountMax 3
> -#UseDNS yes
> +#UseDNS no
>  #PidFile /var/run/sshd.pid
>  #MaxStartups 10:30:100
>  #PermitTunnel no
> diff --git a/sshd_config.5 b/sshd_config.5
> index 43cc826..93cd581 100644
> --- a/sshd_config.5
> +++ b/sshd_config.5
> @@ -1304,7 +1304,7 @@ should look up the remote host name and check that
>  the resolved host name for the remote IP address maps back to the
>  very same IP address.
>  The default is
> -.Dq yes .
> +.Dq no .
>  .It Cm UseLogin
>  Specifies whether
>  .Xr login 1
> --
> 2.1.1
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list