[PATCH] UseDNS should default to "no"

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Nov 12 22:43:15 EST 2014


On 11/11/2014 08:34 PM, Nico Kadel-Garcia wrote:
> Is it still doing the reverse DNS, and *logging* the result, unless
> you use 'sshd -u0'? There's a noticeable difference between doing a
> reverse DNS for mere logging purposes, which can  be very burdensome
> in some high performance situations where you don't control external
> NAT reverse DNS space, and *verifying* that the reverse DNS matches.

hm, i think you're right that it is likely to still be doing the reverse
lookup and logging the information by default, even though it wouldn't
then go ahead and check the forward DNS again.

It's not clear that this offers significant gains either, and it
provides an extra avenue of attack for things like broken local
recursive resolvers, like this bug just reported today against
systemd-resolved:

  http://www.openwall.com/lists/oss-security/2014/11/12/5

> For various performance reasons when managing hundreds or thousands of
> servers from a single SSH *push* host, I wound up setting their init
> scripts to use 'sshd -u0'. That trick dates back to..... 2000, for me.

i can see why that would help.

I kind of think that the default should be -u0 as well, to avoid the
extra codepath exposure, information leakage, and network access by
default. That would have a noticable change in terms of what get stored
in utmp, though.

I'm also slightly concerned that even "sshd -u0" could be subverted (and
sshd made to do network queries remotely) by an end-user adding
from="pattern-list" to their ~/.ssh/authorized_keys file, which could be
an even more serious regression, if people are using named hosts in that
way.

Perhaps a better approach here is to leave UseDNS=yes as the default,
but also default to -u0, and generate a deprecation warning when
encountering any need for DNS while -u0 is set, so that future versions
of openssh can get away with disabling those lookups entirely.

What do other folks think is the right way to improve the default
behavior here?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141112/7bd9c360/attachment.bin>


More information about the openssh-unix-dev mailing list