bin/48874: sshd: "UseDNS=no" dysfunctional

[netbsd%eq.cz@localhost]

>Number:         48874
>Category:       bin
>Synopsis:       sshd: "UseDNS=no" dysfunctional
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 05 13:55:00 +0000 2014
>Originator:     rudolf
>Release:        6.1_STABLE
>Organization:
>Environment:
NetBSD 6.1_STABLE (XEN3_DOMU) amd64, built from CVS at Fri May 23 18:51:55 CEST 
2014 
>Description:
The setting of configuration option "UseDNS" to "no" in /etc/ssh/sshd_config of 
a sshd server does not stop the sshd server from trying to reverse map an IP 
address of a ssh client using DNS.

Here is a part (to the point of the reverse lookup) of debugging output of 
"sshd -d -d -d". From my reading of get_remote_hostname() in 
crypto/external/bsd/openssh/dist/canohost.c, the last line should not be 
reachable with "UseDNS=no":

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 343
debug2: parse_server_config: config /etc/ssh/sshd_config len 343
debug1: Config token is logingracetime
debug3: /etc/ssh/sshd_config:38 setting LoginGraceTime 600
debug1: Config token is permitrootlogin
debug3: /etc/ssh/sshd_config:39 setting PermitRootLogin without-password
debug1: Config token is allowusers
debug3: /etc/ssh/sshd_config:44 setting AllowUsers root
debug1: Config token is authorizedkeysfile
debug3: /etc/ssh/sshd_config:51 setting AuthorizedKeysFile .ssh/authorized_keys
debug1: Config token is passwordauthentication
debug3: /etc/ssh/sshd_config:64 setting PasswordAuthentication no
debug1: Config token is printmotd
debug3: /etc/ssh/sshd_config:88 setting PrintMotd no
debug1: Config token is usepam
debug3: /etc/ssh/sshd_config:93 setting UsePam no
debug1: Config token is usedns
debug3: /etc/ssh/sshd_config:98 setting UseDNS no
debug1: Config token is subsystem
debug3: /etc/ssh/sshd_config:124 setting Subsystem sftp /usr/libexec/sftp-server
debug1: HPN Buffer Size: 32768
debug1: sshd version OpenSSH_5.9 NetBSD_Secure_Shell-20110907
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-u0'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-d'
debug1: rexec_argv[4]='-d'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
debug1: Server TCP RWIN socket size: 32768
debug1: HPN Buffer Size: 32768
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
debug1: Server TCP RWIN socket size: 32768
debug1: HPN Buffer Size: 32768
Server listening on 0.0.0.0 port 22.

debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 9 config len 343
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 9
debug1: inetd sockets after dupping: 3, 3
Connection from 10.0.0.254 port 57061
debug1: HPN Disabled: 0, HPN Buffer Size: 32768
debug1: Client protocol version 2.0; client software version OpenSSH_5.9 
NetBSD_Secure_Shell-20110907-hpn13v11-lpk
SSH: Server;Ltype: Version;Remote: 10.0.0.254-57061;Protocol: 2.0;Client: 
OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk
debug1: match: OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk pat 
OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9 
NetBSD_Secure_Shell-20110907-hpn13v11-lpk
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 199
debug3: preauth child monitor started
debug3: privsep user:group 16:16 [preauth]
debug1: permanently_set_uid: 16/16 [preauth]
debug1: MYFLAG IS 1 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: AUTH STATE IS 0 [preauth]
debug2: kex_parse_kexinit: 
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth]
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc%lysator.liu.se@localhost
 [preauth]
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc%lysator.liu.se@localhost
 [preauth]
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160%openssh.com@localhost,hmac-sha1-96,hmac-md5-96
 [preauth]
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160%openssh.com@localhost,hmac-sha1-96,hmac-md5-96
 [preauth]
debug2: kex_parse_kexinit: none,zlib%openssh.com@localhost [preauth]
debug2: kex_parse_kexinit: none,zlib%openssh.com@localhost [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: kex_parse_kexinit: 
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 [preauth]
debug2: kex_parse_kexinit: 
ecdsa-sha2-nistp256-cert-v01%openssh.com@localhost,ecdsa-sha2-nistp384-cert-v01%openssh.com@localhost,ecdsa-sha2-nistp521-cert-v01%openssh.com@localhost,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01%openssh.com@localhost,ssh-dss-cert-v01%openssh.com@localhost,ssh-rsa-cert-v00%openssh.com@localhost,ssh-dss-cert-v00%openssh.com@localhost,ssh-rsa,ssh-dss
 [preauth]
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc%lysator.liu.se@localhost
 [preauth]
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc%lysator.liu.se@localhost
 [preauth]
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160%openssh.com@localhost,hmac-sha1-96,hmac-md5-96
 [preauth]
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160%openssh.com@localhost,hmac-sha1-96,hmac-md5-96
 [preauth]
debug2: kex_parse_kexinit: none,zlib%openssh.com@localhost,zlib [preauth]
debug2: kex_parse_kexinit: none,zlib%openssh.com@localhost,zlib [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
SSH: Server;Ltype: Kex;Remote: 10.0.0.254-57061;Enc: aes128-ctr;MAC: 
hmac-md5;Comp: none [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 5 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x7f7ff7b012a0(167)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user root service ssh-connection method none 
[preauth]
SSH: Server;Ltype: Authname;Remote: 10.0.0.254-57061;Name: root [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 343
debug1: Config token is logingracetime
debug1: Config token is permitrootlogin
debug1: Config token is allowusers
debug1: Config token is authorizedkeysfile
debug1: Config token is passwordauthentication
debug1: Config token is printmotd
debug1: Config token is usepam
debug1: Config token is usedns
debug1: Config token is subsystem
debug3: Trying to reverse map address 10.0.0.254.


>How-To-Repeat:
0) put UseDNS=no to /etc/ssh/sshd_config

1) put the following to /etc/rc.conf:
sshd=YES
sshd_flags="-d -d -d"

2) restart the sshd server

3) connect to the sshd server from a client

4) observe the "Trying to reverse map address <...>." point of debugging output

>Fix: