Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
[PATCH] Only set PAM_RHOST if the remote host is not "UNKNOWN"
daan.j.demeyer at gmail
Apr 2, 2024, 6:31 AM
Post #1 of 2 (37 views)
Permalink
When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
query of "UNKNOWN", which times out multiple times, causing a
substantial slowdown when logging in.

To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".
---
auth-pam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth-pam.c b/auth-pam.c
index b49d415e7..706b02420 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
sshpam_laddr = get_local_ipaddr(
ssh_packet_get_connection_in(s
sh));
}
- if (sshpam_rhost != NULL) {
+ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) {
debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
sshpam_rhost);
--
2.43.0
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [PATCH] Only set PAM_RHOST if the remote host is not "UNKNOWN" [ In reply to ]
cjwatson at debian
Apr 2, 2024, 7:49 AM
Post #2 of 2 (37 views)
Permalink
On Tue, Apr 02, 2024 at 03:31:49PM +0200, Daan De Meyer wrote:
> When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
> socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
> set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
> query of "UNKNOWN", which times out multiple times, causing a
> substantial slowdown when logging in.
>
> To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".

I suspect this might also allow removing an ugly workaround from
Debian's regression test harness:

https://salsa.debian.org/ssh-team/openssh/-/blob/647f33f8b6/debian/tests/regress#L69-78

(We specifically arrange to run the regression tests with "UsePAM yes"
because that's how our packages are configured by default, and that
changes enough things that it's worth testing.)

--
Colin Watson (he/him) [cjwatson@debian.org]
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal