From owner-freebsd-hackers@FreeBSD.ORG Wed Apr 30 22:48:19 2008 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 386691065671 for ; Wed, 30 Apr 2008 22:48:19 +0000 (UTC) (envelope-from bruce@cran.org.uk) Received: from muon.bluestop.org (unknown [IPv6:2001:41c8:1:548a::2]) by mx1.freebsd.org (Postfix) with ESMTP id A12FB8FC0C for ; Wed, 30 Apr 2008 22:48:18 +0000 (UTC) (envelope-from bruce@cran.org.uk) Received: from [10.0.20.131] (cran1.demon.co.uk [80.177.26.208]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by muon.bluestop.org (Postfix) with ESMTP id 4CCEE30108 for ; Wed, 30 Apr 2008 23:48:17 +0100 (BST) Message-ID: <4818F72C.90300@cran.org.uk> Date: Wed, 30 Apr 2008 23:48:12 +0100 From: Bruce Cran User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: hackers@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: sshd patch to avoid DNS lookups when using 'UseDNS no' or -u0 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2008 22:48:19 -0000 While investigating PR bin/97499 I realised that revision 1.2 of loginrec.c, which was in FreeBSD 4.6, introduced a DNS lookup into sshd itself which is impossible to avoid even after specifying 'UseDNS no' or -u0, and which duplicates one which has already been done earlier. The default OpenSSH behaviour is to decide whether or not to do the DNS lookup in get_remote_name_or_ip based on both the UseDNS setting and whether -u0 was specified on the command line. This has the disadvantage that unless the utmp length is specified on the command line the IP address may be resolved even when the hostname later has to be truncated to fit in the utmp record; it's this that rev 1.2 of loginrec.c fixed. A alternative solution which avoids the extra DNS lookup is to initialize the utmp_len variable in sshd.c to be UT_HOSTSIZE instead of MAXHOSTNAMELEN: this keeps the existing behaviour but still allows the user to override it with the -u parameter. I've attached a patch which implements this (the change to loginrec.c reverts it back to the default OpenSSH code) and was wondering if someone could take a look at it. -- Bruce --- /usr/src/crypto/openssh/loginrec.c 2006-09-30 14:38:04.000000000 +0100 +++ loginrec.c 2008-03-31 21:45:37.000000000 +0100 @@ -688,8 +688,8 @@ strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); # ifdef HAVE_HOST_IN_UTMP - realhostname_sa(ut->ut_host, sizeof ut->ut_host, - &li->hostaddr.sa, li->hostaddr.sa.sa_len); + strncpy(ut->ut_host, li->hostname, + MIN_SIZEOF(ut->ut_host, li->hostname)); # endif # ifdef HAVE_ADDR_IN_UTMP /* this is just a 32-bit IP address */ --- /usr/src/crypto/openssh/sshd.c 2006-11-10 16:52:41.000000000 +0000 +++ sshd.c 2008-03-31 21:45:41.000000000 +0100 @@ -71,6 +71,7 @@ #include #include #include +#include #include #include @@ -235,7 +236,7 @@ u_int session_id2_len = 0; /* record remote hostname or ip */ -u_int utmp_len = MAXHOSTNAMELEN; +u_int utmp_len = UT_HOSTSIZE; /* options.max_startup sized array of fd ints */ int *startup_pipes = NULL;