Latence DNS connections SSH

En cas de panne de DNS, une requête ssh même en passant par l’IP de la
machine cible peut mettre un certain temps à répondre, ce qui peut
sembler déroutant.

Pour éviter les problèmes de résolution DNS en ssh de type reverse dns lookups, je
propose de changer la configuration par défaut de sshd sur les serveurs.

$ grep UseDNS /etc/ssh/sshd_config
UseDNS no

Il faut également lancer le daemon sshd avec l’option : -u0

debian like :

$ grep SSHD_OPTS /etc/default/ssh
SSHD_OPTS="-u0"

BSD like :

$ grep sshd_flags /etc/rc.conf
/etc/rc.conf : sshd_flags="-u0"

Sinon un DNS secondaire peut également faire l’affaire.

Pour info complémentaire voir ci-dessous.

man sshd_config :

UseDNS Specifies whether sshd(8) should look up the remote host name and
check that the resolved host name for the remote IP address maps back to
the very same IP address. The default is “yes”.

man sshd :

-u len This option is used to specify the size of the field in the utmp
structure that holds the remote host name.
[...]
Specifying -u0 indicates that only dotted decimal addresses should be
put into the utmp file.
-u0 may also be used to prevent sshd from making DNS requests unless the
authentication mechanism or configuration requires it. Authentication
mechanisms that may require DNS include RhostsRSAAuthentication,
HostbasedAuthentication, and using a from=”pattern-list” option in a key
file. Configuration options that require DNS include using a USER@HOST
pattern in AllowUsers or DenyUsers.

This entry was posted in unix and tagged , , , , , . Bookmark the permalink.

4 Responses to Latence DNS connections SSH

  1. bapt says:

    Ton sed -ie n’est pas portable, par exemple ta commande fera au pire une erreur sous freebsd au mieux créera un fichier sshd_confige

  2. Aman says:

    ok, I know this post is . out of date, but I was thinking in ppeole finding help now.I think that the problem is not the port assigned to ssh, but the use of the characer tilde (this represents home isn’t it?) in the command, when someone enclose the line like ssh xxxx . this escapes the character tilde and your command works ok.Am I wrong?Thanks in advance.(Sorry I can’t include the character tilde right now!)

  3. Lora says:

    Not only is this more intuitive, but this was the only thing that would work on my Debian Lenny (5.0.6) mahince. Thanks for the tip, and you might want to consider updating the main post.Cheers,Antoine

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin says GD image support not detected in PHP!

Contact your web host and ask them why GD image support is not enabled for PHP.

ERROR: si-captcha.php plugin says imagepng function not detected in PHP!

Contact your web host and ask them why imagepng function is not enabled for PHP.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>