Date: 17 Jan 2003 21:16:13 -0000 From: Frank Tegtmeyer <fte@fte.to> To: FreeBSD-gnats-submit@FreeBSD.org Cc: fte@fte.to Subject: ports/47169: PTR lookup at wrong (local) nameserver by SSHD Message-ID: <20030117211613.10963.qmail@dns.tegtmeyer.com>
next in thread | raw e-mail | index | archive | help
>Number: 47169 >Category: ports >Synopsis: PTR lookup at wrong (local) nameserver by SSHD >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jan 17 13:20:01 PST 2003 >Closed-Date: >Last-Modified: >Originator: Frank Tegtmeyer >Release: FreeBSD 4.7-STABLE i386 >Organization: private >Environment: System: FreeBSD sg820805.de 4.7-STABLE FreeBSD 4.7-STABLE #0: Tue Jan 14 10:37:36 CET 2003 root@sg820805.de:/usr/src/sys/compile/ROOTSERVER i386 Installed software: daemontools (http://cr.yp.to/daemontools.html) djbdns (http://cr.yp.to/djbdns.html) ucspi-tcp (http://cr.yp.to/ucspi-tcp.html) sshd_config (added ClientAliveInterval and UsePrivilegeSeparation): # $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.4.2.10 2002/07/26 15:18:32 fanf Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20020629 #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 120 #PermitRootLogin no #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no UsePrivilegeSeparation yes #Compression yes ClientAliveInterval 15 #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server >Description: SSHD looks up the PTR record of the connecting host. When running a local resolver/cache (dnscache) on 127.0.0.1 and a DNS (content-) server on the external interface, the lookups are done through the server at the external interface even when the only entry in /etc/resolv.conf is "nameserver 127.0.0.1". It's unclear if this is an issue with SSHD or the underlying C library. >How-To-Repeat: Run Daniel Bernsteins dns servers (http://cr.yp.to/djbdns.html) with dnscache on 127.0.0.1 and tinydns on the external interface. Set /etc/resolv.conf to "nameserver 127.0.0.1" so that the dnscache daemon does all resolving. Connect to the SSH daemon - you will get long delays. The dnscache logfile shows no single request for the PTR of the connecting host. The tinydns logfile shows the PTR requests that are of course not answered by tinydns when it is not responsible for that data. >Fix: No idea. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030117211613.10963.qmail>