Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 08 Sep 2003 15:59:51 -0500
From:      Jeremy Messenger <mezz7@cox.net>
To:        Andreas Klemm <andreas@freebsd.org>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: PUzzling sshd behaviour
Message-ID:  <opru68l1a78ckrg5@smtp.central.cox.net>
In-Reply-To: <20030908202727.GA49862@titan.klemm.apsfilter.org>
References:  <3F589E94.1080508@xwave.com> <20030905154646.GA59881@rot13.obsecurity.org> <20030906213428.GF29217@spc.org> <3F5A8FDB.3050507@newsguy.com> <20030907015510.GG29217@spc.org> <20030908202727.GA49862@titan.klemm.apsfilter.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 8 Sep 2003 22:27:27 +0200, Andreas Klemm <andreas@freebsd.org> 
wrote:

> On Sun, Sep 07, 2003 at 02:55:10AM +0100, Bruce M Simpson wrote:
>> On Sat, Sep 06, 2003 at 10:54:35PM -0300, Daniel C. Sobral wrote:
>> > Bruce M Simpson wrote:
>> > >On Fri, Sep 05, 2003 at 08:46:46AM -0700, Kris Kennaway wrote:
>> > >>The fact that sshd requires reverse IP resolution is well-known
>> > >>behaviour.  It's probably the most common FAQ about sshd ("Why is my
>> > >>login taking 60 seconds to present the password prompt?").
>> > >
>> > >But what about:
>> > >     VerifyReverseMapping
>> > >             Specifies whether sshd should try to verify the remote 
>> host
>> > >             name
>> > >             and check that the resolved host name for the remote IP
>> > >             address
>> > >             maps back to the very same IP address.  The default is 
>> ``no''.
>> >
>> > AFAIK, that means the reverse mapping result will not be held against
>> > you. :-)
>>
>> This sounds like a bug. Does anyone else agree?
>
> Yes and I really needed this functionality in a project for 12 Suns...
>
> But it didn't work as expected from the description.
>
> And for me a functionality like being able to prevent reverse lookup
> would be completely logical ...
>
> Result was to create about 20 /etc/hosts entries on every sun, to
> prevent this 60 seconds timeout for our Out Of Band login via VPN
> and from sun to sun etc etc

My solution is to install and setup dnscache to do the local DNS cache.

Cheers,
Mezz

> 	Andreas ///


-- 
bsdforums.org 's moderator, mezz.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?opru68l1a78ckrg5>