[PATCH] Only set PAM_RHOST if the remote host is not "UNKNOWN"

Colin Watson cjwatson at debian.org
Wed Apr 3 01:49:58 AEDT 2024

On Tue, Apr 02, 2024 at 03:31:49PM +0200, Daan De Meyer wrote:
> When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
> socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
> set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
> query of "UNKNOWN", which times out multiple times, causing a
> substantial slowdown when logging in.
> To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".

I suspect this might also allow removing an ugly workaround from
Debian's regression test harness:


(We specifically arrange to run the regression tests with "UsePAM yes"
because that's how our packages are configured by default, and that
changes enough things that it's worth testing.)

Colin Watson (he/him)                              [cjwatson at debian.org]

More information about the openssh-unix-dev mailing list