当前位置：首页 > news >正文

禁用Dropbear中DNS反向查询连接客户端地址补丁

news 来源：原创 2024/5/5 20:08:11

Dropbear 是一套来自澳大利亚的轻量的sshd服务器，与OpenSSH相比，他更简洁，更小巧，运行起来占用的内存也更少，因此在嵌入式环境被广泛中使用.
Dropbear 与 OpenSSH在客户端连接到服务器时都有一个相同的动作:就是会向设备配置的DNS Server反向查询客户端地址. 如果设备配置的DNS服务器地址有问题或速度比较慢, 就会导致客户端连接时产生延时,在客户端产生停顿了感觉. 而OpenSSH 可以通过在sshd_config中配置"UseDNS No"来禁用此动作,而Dropbear却没有可配置的选项.

通过查看Dropbear代码, 发现Dropbear在每次客户端连接成功后都会调用getnameinfo去获取客户端连接信息(svr-main.c:main_noinetd/main_inetd->dbutils.c:getaddrstring/getaddrhostname). 所以只要将dbutils.c:getaddrstring/getaddrhostname两个函数代码中调用getnameinfo获取地址信息修改为获取简单的地址端口即可.

这里采用了kernel中的宏NIPQUAD来打印ipv4网络字节序地址:
#define NIPQUAD(addr) \
((unsigned char *)&addr)[0], \
((unsigned char *)&addr)[1], \
((unsigned char *)&addr)[2], \
((unsigned char *)&addr)[3]

以下是patch:

diff -Nur dropbear-0.52.orig/dbutil.c dropbear-0.52/dbutil.c --- dropbear-0.52.orig/dbutil.c 2008-11-11 22:09:02.000000000 +0800 +++ dropbear-0.52/dbutil.c 2010-09-20 02:09:17.000000000 +0800 @@ -550,9 +550,25 @@ #endif #endif +// modified by kangzy +#if 0 ret = getnameinfo((struct sockaddr*)addr, len, hbuf, sizeof(hbuf), sbuf, sizeof(sbuf), NI_NUMERICSERV | NI_NUMERICHOST); - + printf( "getnameinfo return %d.\n", ret ); +#else +#define NIPQUAD(addr) \ + ((unsigned char *)&addr)[0], \ + ((unsigned char *)&addr)[1], \ + ((unsigned char *)&addr)[2], \ + ((unsigned char *)&addr)[3] + + { + struct sockaddr_in *sa = (struct sockaddr_in *)addr; + snprintf(hbuf, NI_MAXHOST, "%.u.%u.%u.%u", NIPQUAD(sa->sin_addr)); + snprintf(sbuf, NI_MAXSERV, "%d", sa->sin_port ); + } + ret = 0; +#endif if (ret != 0) { /* This is a fairly bad failure - it'll fallback to IP if it * just can't resolve */ @@ -599,10 +615,13 @@ #endif #endif - +// modified by kangzy +#if 0 ret = getnameinfo((struct sockaddr*)addr, len, hbuf, sizeof(hbuf), sbuf, sizeof(sbuf), flags); - +#else + ret = EAI_NONAME; +#endif if (ret != 0) { /* On some systems (Darwin does it) we get EINTR from getnameinfo * somehow. Eew. So we'll just return the IP, since that doesn't seem