[PATCH] Only set PAM_RHOST if the remote host is not "UNKNOWN"
Colin Watson
cjwatson at debian.org
Wed Apr 3 01:49:58 AEDT 2024
On Tue, Apr 02, 2024 at 03:31:49PM +0200, Daan De Meyer wrote:
> When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
> socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
> set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
> query of "UNKNOWN", which times out multiple times, causing a
> substantial slowdown when logging in.
>
> To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".
I suspect this might also allow removing an ugly workaround from
Debian's regression test harness:
https://salsa.debian.org/ssh-team/openssh/-/blob/647f33f8b6/debian/tests/regress#L69-78
(We specifically arrange to run the regression tests with "UsePAM yes"
because that's how our packages are configured by default, and that
changes enough things that it's worth testing.)
--
Colin Watson (he/him) [cjwatson at debian.org]
More information about the openssh-unix-dev
mailing list