Optional WHOIS netname on login banner

Nico Kadel-Garcia nkadel at gmail.com
Sat Aug 22 22:00:27 AEST 2015


On Fri, Aug 21, 2015 at 6:45 PM, Ángel González <keisial at gmail.com> wrote:
> On 17/08/15 11:36, ricky wrote:
>>
>> I think this is probably my first post to this mailing list, so hello!
>>
>> Occasionally I log in to my servers from IP addresses without reverse DNS
>> configured, so sometimes I'll see an IP I don't recognise because I can't
>> remember what I did the day before and get a bit spooked until I WHOIS the
>> IP and find the netname reminds me I logged in from that IP.
>>
>> I set out prepared to script it, but I understand that the reporting of
>> failed/last logins is only really configurable at source, so instead of
>> submitting a hilarious poorly coded patch from which I receive numerous
>> critique and ridicule, I figured I'd just submit the idea/use-case and hope
>> that at least one of you think it might be a nice idea. Even if I were to be
>> able to submit openssh patches with code that is not awful, I think it
>> sensible to check to see if you'd be prepared to accept such a patch in the
>> first place anyway.
>>
>> Regards,
>> Ricky Burgin
>
> Welcome Ricky,
>
> Don't worry, we wouldn't treat you that bad :)
>
> I'm not sure if the (optional) change you propose should happen at ssh
> before sending to syslog, or rather by a wrapper showing the IPs. In the
> former case, I don't think you should put whois search code into openssh,
> but allow it to run an external program which would fetch the additional
> data.
> You are interested in netname, but someone else may just be interested in
> the country and another in the AS.


If I may suggest, it doesn't sound like a good idea to put it in the
OpenSSH at all. If DNS behavior is failing or not fully configured,
configure DNS more fully. or acknowledge that it's not able to be
fixed. In many environments, frankly, it's not fixable: the reverse
DNS is administered by different people than the forward DNS and there
are other environments with dynamic DNS where reverse DNS is never
expired, and reverse DNS has multiple entries and is a nightmare.
This really looks like a log analysis problem to sanitize bad DNS:
trying to sanitize incomplete or bad DNS in OpenSSH processing, before
the connection is even established, sounds like a really, really deep
rathole.

A post-analysis tools for logs sounds potentially much more useful for
environments where, for performance and configuration reasons,  the
reverse DNS is turned off *entirely* by using the "sshd -u0" option.
I've certainly seen this done in worldwide, distributed networks with
CNAME or multiple A record named hosts where the reverse DNS cannot be
relied on, and the lengthy timeouts of non-existent reverse DNS
lookups caused very real performance problems.

> Also I wouldn't be surprised if doing that reliably turns out to be quite
> complex (differences between rirs, several netnames, ips with no netname at
> all…) even though the initial assumption would be simply:
> whois $ip | grep -i ^netname:
>
> Best regards

It's an unstable and potentially confusing modification of a long
stable bit of code.


More information about the openssh-unix-dev mailing list