summaryrefslogtreecommitdiffstats
path: root/debian/patches/pam-avoid-unknown-host.patch
blob: 8c8d78a7b3cc573dd3e2a09d392f51409d901675 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
From 97c671bccd4f923e2bb814516ad7bf1d9261709c Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 20 Mar 2023 20:22:14 +0100
Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN"

When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
query of "UNKNOWN", which times out multiple times, causing a
substantial slowdown when logging in.

To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".

Author: Daan De Meyer <daan.j.demeyer@gmail.com>
Last-Update: 2024-04-03

Patch-Name: pam-avoid-unknown-host.patch
---
 auth-pam.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth-pam.c b/auth-pam.c
index 13c0a792e..b22883b95 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
 		sshpam_laddr = get_local_ipaddr(
 		    ssh_packet_get_connection_in(ssh));
 	}
-	if (sshpam_rhost != NULL) {
+	if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) {
 		debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
 		sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
 		    sshpam_rhost);