sshd option UseDNS and Nasty PTR log entry

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have been researching the following unusual log entry from sshd.

Jan  9 15:22:39 server sshd[30501]: Nasty PTR record "" is
set up for nnn.nnn.nnn.nnn, ignoring

It appears that some of my servers will report this and a few will not.  At
first I thought it was the version.  So I installed the latest 3.9p1.  Same
problem.  The systems that do not log this message appear to not check the
reverse mapping at all.  The VerifyReverseMapping is reported as
depracated.  The man page listed UseDNS as an option.  I have found that if
I set the option UseDNS to no then the message will dissappear.  If enabled
then the message returns.  When DNS is disabled the log entry then reports
only the IP address and no machine name is provided.

We manage our own IP assignments for our assigned address space for both
forward and reverse.  These methods using bind haven't changed in our 8
years of operation.  The arpa record is configured like below:

nnn                       PTR

To my knowledge this is the only way to indicate the cannonical name of the
machine IP address.  Is there a newer or better method available now?

Perhaps also, what is "Nasty" about it?  It appears from my search results
that this is the way it has always been done.  And then why the decision to
"ignore" it?

Thank you,

Re: sshd option UseDNS and Nasty PTR log entry

As strings, IP addresses are also valid domain names.  At one point, an
OpenSSH statement like:

  AllowUser pat@

could be spoofed if an attacker could get the DNS to return the domain
"" as the reverse lookup of the source address.  I'm not sure if
that's still true, but OpenSSH still detects this situation and ignores
a DNS PTR record if its rdata looks like an address.


     * if reverse lookup result looks like a numeric hostname,
     * someone is trying to trick us by PTR record like following:
     *    IN PTR
    memset(&hints, 0, sizeof(hints));
    hints.ai_socktype = SOCK_DGRAM;    /*dummy*/
    hints.ai_flags = AI_NUMERICHOST;
    if (getaddrinfo(name, "0", &hints, &ai) == 0) {
        logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
            name, ntop);
        return xstrdup(ntop);

This code uses getaddrinfo() with AI_NUMERICHOST to test whether "name"
(the result of the reverse lookup on the source address) looks like an
address.  According to the the OpenBSD getaddrinfo(3) man page, this
should work; likewise, the OpenSSH compatibility code for systems without
getaddrinfo looks as if it should work.  Perhaps the systems reporting
this error have native getaddrinfo implementations that do not behave in
the way this code expects?

- Richard

Re: sshd option UseDNS and Nasty PTR log entry

Thank you Richard,

I suspect now that your last supposition is probably the correct one.  A
local library call is probably being used.  I know I had to disable the
zlib verification to get it to build as well because of the age.  The
servers that appear to be reporting the problem are older servers based on
Slackware 7.0.  If I recall these servers were originally based using the
old ssh program and not openssh and openssl.  I upgraded to these programs
about a year and half ago.

Well, it seems like this year would be a good time to upgrade them.

Thank you again,

Site Timeline