Only set PAM_RHOST if the remote host is not "UNKNOWN" (!25) · Merge requests · Debian SSH Maintainers / openssh

Luca Boccassi requested to merge bluca/openssh:pam_unknown into master Apr 03, 2024

When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then set as the value of PAM_RHOST, causing pam to try to do a reverse DNS query of "UNKNOWN", which times out multiple times, causing a substantial slowdown when logging in.

To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".

Hope I am doing things right, I am really not familiar with git-dpm workflows.

This patch has been proposed upstream in various ways, but completely ignored:

https://github.com/openssh/openssh-portable/pull/388 https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-April/041289.html

Fedora is now going to pull this in as it fixes an annoying issue:

https://src.fedoraproject.org/rpms/openssh/pull-request/71

Only set PAM_RHOST if the remote host is not "UNKNOWN"

Merge request reports