giovedì 4 luglio 2013

Disabling reverse DNS lookups in ssh

Disabling reverse DNS lookups in ssh

Reverse DNS lookup is the procedure used by sshd and other login daemons (i.e. telnet, ftp, etc.) for checking the truth of IP addresses of the incoming connection.

Often in embedded systems networks there is no Internet connection, and no DNS server: in this case, ssh login may require a lot of time (30 sec. or more) or can even be impossible (if sshd has been compiled with the PARANOID option).

Reverse DNS lookup can be disabled on the sshd server side:
First of all, you can make "UseDNS no" in /etc/ssh/sshd_config file, default answer is yes and if this line not shown in your config file, just add it to as below:

UseDNS no

This directive tells sshd process to check resolved host name for the connected client's ip address maps back to the very same ip address or not.

However, it does not prevent the sshd server from performing any DNS lookups at all. That's not the purpose of that directive.

In order to remove dns lookups completely, you have to use -u0 options when starting sshd server. You can easily add this options to /etc/default/ssh or /etc/sysconfig/sshd or elsewhere suitable for your distribution.

-u0 option's means that it will not put hostnames into the utmp structure (i.e. what you see when you type "who" at the shell prompt), which means that sshd will not perform DNS lookups for that purpose. However there are still cases where a lookup has to be performed when a user has


like entries in his authorized_keys file, or when authentication methods or configuration directives are used that involve hostnames.

With this method you can disable ssh reverse DNS lookup for most situations; it's not a system-wide disable, anyway.
For a system-wide solution, you should consider installing a local DNS cache server like dnsmasq and configure it to false the DNS check results in local networks (bogus-priv option), like described here:

Nessun commento:

Posta un commento