Bug 2545 - reverse DNS lookups shouldn't block login
Summary: reverse DNS lookups shouldn't block login
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 6.6p1
Hardware: All All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-27 03:33 AEDT by Marc Bejarano
Modified: 2016-08-02 10:41 AEST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Bejarano 2016-02-27 03:33:50 AEDT 
sshd currently blocks on doing a reverse DNS lookup during login when UseDNS is yes.  this normally doesn't present a problem, but broken or misconfigured resolvers and servers can cause a 20-second penalty to sshd users.

sshd should do the name resolution in a non-blocking way.

see https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/424371
Comment 1 Damien Miller 2016-02-28 10:59:53 AEDT 
We don't intend to fix this.

With UseDNS=yes, we need the remote hostname fairly early in the connection life for sshd_config Match and authorized_keys restrictions, so doing the lookup asynchrounously wouldn't really help - we'd need to block at those points anyway until we get an answer.

UseDNS=no is the default for this reason (among others).
Comment 2 Darren Tucker 2016-02-29 11:27:47 AEDT 
There's also a couple of system-level dependencies performing the login:
 - PAM_RHOST, if PAM is enabled.
 - writing remote hostname to utmp/wtmp records
Comment 3 Damien Miller 2016-08-02 10:41:13 AEST 
Close all resolved bugs after 7.3p1 release