[Bug 424371] Re: Logins to OpenSSH server slow due to "UseDNS yes" config

Rodney Beede 424371 at bugs.launchpad.net
Wed Mar 5 17:45:07 UTC 2014 

I'd propose submitting a request upstream to make the default setting
for UseDNS be No.

Additionally add comments in the sshd_config and man page:

# UseDNS - Determines whether IP Address to Hostname lookup and comparison is performed
# Default value is No which avoids login delays when the remote client's DNS cannot be resolved
# Value of No implies that the usage of "from=" in authorized_keys will not support DNS host names but only IP addresses.
# Value of Yes supports host names in "from=" for authorized_keys.  Additionally if the remote client's IP address does not match the resolved DNS host name (or could not be reverse lookup resolved) then a warning is logged.
# UseDNS Yes

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/424371

Title:
  Logins to OpenSSH server slow due to "UseDNS yes" config

Status in “openssh” package in Ubuntu:
  Confirmed

Bug description:
  When logging in to my Ubuntu 8.04 Server edition server via SSH
  (client PuTTY), logins take exactly 20 seconds from the time the
  username is entered and the time the password request appears.

  The problem is caused by the "UseDNS yes" config parameter.  When it
  is changed to "UseDNS no", the server logs in instantly.

  The cause of the problem is that the server is in a network that does
  not have a DHCP server to store client hostnames, and thus, when
  requesting the hostname, it waits for the request to timeout.  When
  the same server is put on a network with a DHCP server, the logins are
  instantaneous as well.

  Another workaround is to put the client's hostname and IP address in
  /etc/hosts.

  This bug has similar symptoms to
  https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/84899 , but in
  my case, disabling GSSAPIAuthentication does not resolve the issue.

  I would disable UseDNS permanently, but I am skiddish because it
  sounds like a security feature.  Unfortunately, it seems worthless;
  when I put the client's hostname and the WRONG IP address in
  /etc/hosts, the connection still is successful (after a 20 second
  delay).  That poses the question: what is the point of UseDNS?

  In bug 84899, someone suggests changing /etc/nsswitch.conf, but my
  configuration was already like the recommended fix.

  All config files are at their defaults.

  To Reproduce:
  Install Ubuntu Server 8.04
  `apt-get install openssh-server`
  Put machine on non-DHCP network
  Connect to machine's IP

  `lsb_release -rd`
  Description: Ubuntu 8.04.3 LTS
  Release: 8.04

  `apt-cache policy openssh-server1
  Installed: 1:4.7p1-8ubuntu1.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/424371/+subscriptions

More information about the foundations-bugs mailing list