openssh unix dev - Nov 2014 - [PATCH] UseDNS should default to "no"

In the dnsop (DNS Operations) working group at the IETF meeting today,
there was a strong sense in the room that OpenSSH's sshd should not be
checking reverse DNS of clients during connection by default, since it
provides no real security benefit.

This patch changes the default for UseDNS from "yes" to
"no".
---
 servconf.c    | 2 +-
 sshd_config   | 2 +-
 sshd_config.5 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/servconf.c b/servconf.c
index b317e9c..93ea0cf 100644
--- a/servconf.c
+++ b/servconf.c
@@ -290,7 +290,7 @@ fill_default_server_options(ServerOptions *options)
 	if (options->max_sessions == -1)
 		options->max_sessions = DEFAULT_SESSIONS_MAX;
 	if (options->use_dns == -1)
-		options->use_dns = 1;
+		options->use_dns = 0;
 	if (options->client_alive_interval == -1)
 		options->client_alive_interval = 0;
 	if (options->client_alive_count_max == -1)
diff --git a/sshd_config b/sshd_config
index e9045bc..9ac96f3 100644
--- a/sshd_config
+++ b/sshd_config
@@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox		# Default for new
installations.
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
-#UseDNS yes
+#UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
diff --git a/sshd_config.5 b/sshd_config.5
index 43cc826..93cd581 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1304,7 +1304,7 @@ should look up the remote host name and check that
 the resolved host name for the remote IP address maps back to the
 very same IP address.
 The default is
-.Dq yes .
+.Dq no .
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
-- 
2.1.1

Is it still doing the reverse DNS, and *logging* the result, unless
you use 'sshd -u0'? There's a noticeable difference between doing a
reverse DNS for mere logging purposes, which can  be very burdensome
in some high performance situations where you don't control external
NAT reverse DNS space, and *verifying* that the reverse DNS matches.

For various performance reasons when managing hundreds or thousands of
servers from a single SSH *push* host, I wound up setting their init
scripts to use 'sshd -u0'. That trick dates back to..... 2000, for me.

On Tue, Nov 11, 2014 at 10:09 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> In the dnsop (DNS Operations) working group at the IETF meeting today,
> there was a strong sense in the room that OpenSSH's sshd should not be
> checking reverse DNS of clients during connection by default, since it
> provides no real security benefit.
>
> This patch changes the default for UseDNS from "yes" to
"no".
> ---
>  servconf.c    | 2 +-
>  sshd_config   | 2 +-
>  sshd_config.5 | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/servconf.c b/servconf.c
> index b317e9c..93ea0cf 100644
> --- a/servconf.c
> +++ b/servconf.c
> @@ -290,7 +290,7 @@ fill_default_server_options(ServerOptions *options)
>         if (options->max_sessions == -1)
>                 options->max_sessions = DEFAULT_SESSIONS_MAX;
>         if (options->use_dns == -1)
> -               options->use_dns = 1;
> +               options->use_dns = 0;
>         if (options->client_alive_interval == -1)
>                 options->client_alive_interval = 0;
>         if (options->client_alive_count_max == -1)
> diff --git a/sshd_config b/sshd_config
> index e9045bc..9ac96f3 100644
> --- a/sshd_config
> +++ b/sshd_config
> @@ -112,7 +112,7 @@ UsePrivilegeSeparation sandbox              # Default
for new installations.
>  #Compression delayed
>  #ClientAliveInterval 0
>  #ClientAliveCountMax 3
> -#UseDNS yes
> +#UseDNS no
>  #PidFile /var/run/sshd.pid
>  #MaxStartups 10:30:100
>  #PermitTunnel no
> diff --git a/sshd_config.5 b/sshd_config.5
> index 43cc826..93cd581 100644
> --- a/sshd_config.5
> +++ b/sshd_config.5
> @@ -1304,7 +1304,7 @@ should look up the remote host name and check that
>  the resolved host name for the remote IP address maps back to the
>  very same IP address.
>  The default is
> -.Dq yes .
> +.Dq no .
>  .It Cm UseLogin
>  Specifies whether
>  .Xr login 1
> --
> 2.1.1
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev