Server Administration & Management

How to Prevent hostname lookups with OpenSSH

When you connect to an OpenSSH sshd server, it is configured by default to do a hostname lookup on your IP address.
If there are any issues with the DNS configuration on the host machine, or with the DNS server it is using, this can lead to a delay when logging in using ssh for around 30 seconds and making this change may introduce a security risk as full checking is no longer done on the hostname and IP address. It is very easy to switch this host name lookup function off in the sshd_config file.

On most Linux distributions, the sshd_config file will be at /etc/ssh/sshd_config,

UseDNS no

This is correct for recent versions of sshd but older versions might use the following configuration option instead

VerifyReverseMapping yes

After making the above change to the configuration file, it’s simply a matter of reloading the SSH daemon.

# /etc/init.d/sshd restart

UseDNS – Specifies whether sshd should look up the remote host name and check that the resolved host name
for the remote IP address maps back to the very same IP address. The default is “yes”.

February 19, 2011 Posted by | Security, SSH | , , | 1 Comment