Ubuntu
openssh package

openssh sets PAM_RHOST to UNKNOWN causing slow logins

Bug #2060150 reported by Luca Boccassi
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Medium
Nick Rosbrook

Bug Description

When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
query of "UNKNOWN", which times out multiple times, causing a
substantial slowdown when logging in.

upstream PR: https://github.com/openssh/openssh-portable/pull/388
upstream email: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-April/041289.html
Fedora backport: https://src.fedoraproject.org/rpms/openssh/pull-request/71
Debian backport: https://salsa.debian.org/ssh-team/openssh/-/merge_requests/25

Tags: server-todo
Nick Rosbrook (enr0n)
Changed in openssh (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Paride Legovini (paride)
tags: added: server-todo
Revision history for this message
Nick Rosbrook (enr0n) wrote :

I was preparing a bug fix upload, so I have picked this up as well.

Changed in openssh (Ubuntu):
assignee: nobody → Nick Rosbrook (enr0n)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:9.6p1-3ubuntu13

---------------
openssh (1:9.6p1-3ubuntu13) noble; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * debian: Remove dependency on libsystemd
    As per the xz backdoor we learned that the least dependencies sshd have,
    the best it is, so avoid to plug libsystemd (which also brings various
    other dependencies) inside sshd for no reason:

    - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd
      dependency
    - d/p/systemd-socket-activation.patch: Import patch from debian that
      mimics the libsystemd sd_listen_fds() code, as refactored by Colin
      Watson.
    - d/control: Remove dependencies on libsystemd-dev | libelogind-dev
    - d/rules: Drop --with-systemd flag (new options are used by default)

  [ Nick Rosbrook ]
  * debian/patches: only set PAM_RHOST if remote host is not "UNKNOWN"
    (LP: #2060150)
  * debian/openssh-server.postinst: don't re-enable ssh.socket if it was disabled
    (LP: #2059874)
  * d/p/sshd-socket-generator.patch: do not always ignore ListenStream=22
    (LP: #2059872)

 -- Nick Rosbrook <email address hidden> Fri, 05 Apr 2024 15:30:31 -0400

Changed in openssh (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.