Bug 2545

Summary: reverse DNS lookups shouldn't block login
Product: Portable OpenSSH Reporter: Marc Bejarano <bugzilla.mindrot.org>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm, dtucker
Priority: P5    
Version: 6.6p1   
Hardware: All   
OS: All   

Description Marc Bejarano 2016-02-27 03:33:50 AEDT 
sshd currently blocks on doing a reverse DNS lookup during login when UseDNS is yes.  this normally doesn't present a problem, but broken or misconfigured resolvers and servers can cause a 20-second penalty to sshd users.

sshd should do the name resolution in a non-blocking way.

see https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/424371
Comment 1 Damien Miller 2016-02-28 10:59:53 AEDT 
We don't intend to fix this.

With UseDNS=yes, we need the remote hostname fairly early in the connection life for sshd_config Match and authorized_keys restrictions, so doing the lookup asynchrounously wouldn't really help - we'd need to block at those points anyway until we get an answer.

UseDNS=no is the default for this reason (among others).
Comment 2 Darren Tucker 2016-02-29 11:27:47 AEDT 
There's also a couple of system-level dependencies performing the login:
 - PAM_RHOST, if PAM is enabled.
 - writing remote hostname to utmp/wtmp records
Comment 3 Damien Miller 2016-08-02 10:41:13 AEST 
Close all resolved bugs after 7.3p1 release