Hi, i'm using a 6.2-PRERELEASE and i got: # uname -a FreeBSD circe.cmp 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: Wed Nov 15 16:13:14 CET 2006 root@circe.cmp:/usr/obj/usr/src/sys/PAECMP i386 # grep UseDNS /etc/ssh/sshd_config UseDNS no # /etc/rc.d/sshd restart Stopping sshd. Starting sshd. now, start a ssh session from a client (192.168.7.8). my sshd machine is 192.168.18.3 and 192.168.18.251is the dns. # tcpdump -ni bce0 port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes 11:07:52.069663 IP 192.168.18.3.60321 > 192.168.18.251.53: 48923+ PTR? 8.7.168.192.in-addr.arpa. (42) 11:07:52.070551 IP 192.168.18.1.15679 > 128.8.10.90.53: 6929 [1au] PTR? 8.7.168.192.in-addr.arpa. (53) 11:07:55.078756 IP 192.168.18.1.15679 > 192.203.230.10.53: 29042 [1au] PTR? 8.7.168.192.in-addr.arpa. (53) 11:07:57.073039 IP 192.168.18.3.60321 > 192.168.18.251.53: 48923+ PTR? 8.7.168.192.in-addr.arpa. (42) Am i wrong or the UseDNS directive is ignored? -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
add "-u0" to sshd_flags or openssh_flags in /etc/rc.conf Cristiano Deana wrote:> Hi, > > i'm using a 6.2-PRERELEASE and i got: > > # uname -a > FreeBSD circe.cmp 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: Wed Nov 15 > 16:13:14 CET 2006 root@circe.cmp:/usr/obj/usr/src/sys/PAECMP i386 > # grep UseDNS /etc/ssh/sshd_config > UseDNS no > # /etc/rc.d/sshd restart > Stopping sshd. > Starting sshd. > > now, start a ssh session from a client (192.168.7.8). my sshd machine > is 192.168.18.3 and 192.168.18.251is the dns. > > # tcpdump -ni bce0 port 53 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes > 11:07:52.069663 IP 192.168.18.3.60321 > 192.168.18.251.53: 48923+ > PTR? 8.7.168.192.in-addr.arpa. (42) > 11:07:52.070551 IP 192.168.18.1.15679 > 128.8.10.90.53: 6929 [1au] > PTR? 8.7.168.192.in-addr.arpa. (53) > 11:07:55.078756 IP 192.168.18.1.15679 > 192.203.230.10.53: 29042 > [1au] PTR? 8.7.168.192.in-addr.arpa. (53) > 11:07:57.073039 IP 192.168.18.3.60321 > 192.168.18.251.53: 48923+ > PTR? 8.7.168.192.in-addr.arpa. (42) > > Am i wrong or the UseDNS directive is ignored? >
Cristiano Deana wrote:
> Am i wrong or the UseDNS directive is ignored?
"UseDNS no" only prevents sshd from performing a validation
of the client's reverse lookup. That is, if you connect
with a client whose hostname resolves to a different IP
address than the one with which it connects, the server
will reject it if UseDNS is "yes", but allow it if "no".
But "UseDNS no" does _not_ prevent the sshd server from
performing any DNS lookups at all. That's not the purpose
of that directive.
If you specify the -u0 option when starting sshd, it means
that it will not put hostnames into the utmp structure
(i.e. what you see when you type "w" at the shell prompt),
which means that sshd will not perform DNS lookups for that
purpose. _However_ there are still cases where a lookup
has to be performed when a user has "from=<hostname>"
entries in his authorized_keys file, or when authentication
methods or configuration directives are used that involve
hostnames.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"I invented Ctrl-Alt-Delete, but Bill Gates made it famous."
-- David Bradley, original IBM PC design team
I remember a discussion about this maybe a few years ago. I recall that it is basically impossible to stop ssh from looking up DNS addresses. The problem I was having was that ssh would take a long time to connect on my intranet, when my internet connection was slow or not working. I thought that the solution might be to put the relevant intranet addresses into /etc/hosts, but since sshd operates in some kind of jailed environment, that didn't work. Apparently there is some place where you can put hosts so that sshd will look at it. But I opted for a different option, and placed a DNS server on my intranet.
On Tue, Nov 21, 2006, Cristiano Deana wrote:> # uname -a > FreeBSD circe.cmp 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: Wed Nov 15 > 16:13:14 CET 2006 root@circe.cmp:/usr/obj/usr/src/sys/PAECMP i386 > # grep UseDNS /etc/ssh/sshd_config > UseDNS no > # /etc/rc.d/sshd restart > Stopping sshd. > Starting sshd.> now, start a ssh session from a client (192.168.7.8). my sshd machine > is 192.168.18.3 and 192.168.18.251is the dns.> # tcpdump -ni bce0 port 53 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes > 11:07:52.069663 IP 192.168.18.3.60321 > 192.168.18.251.53: 48923+ > PTR? 8.7.168.192.in-addr.arpa. (42)[snip] A wild guess: tcpwrappers are enabled, perhaps?