Date: Mon, 22 Jul 2002 21:38:53 +0200 (CEST) From: Jan Srzednicki <winfried@expro.pl> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/40894: OpenSSH weird delays Message-ID: <200207221938.g6MJcrG00471@mizantrop.expro.pl>
next in thread | raw e-mail | index | archive | help
>Number: 40894 >Category: bin >Synopsis: OpenSSH weird delays >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 22 12:40:04 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Jan Srzednicki >Release: FreeBSD 4.6.1-RELEASE i386 >Organization: expro.pl >Environment: System: FreeBSD mizantrop 4.6.1-RELEASE FreeBSD i386 >Description: I've noticed some strange behaviour of recent versions of OpenSSH sshd daemon. When I turn the UDP blackhole on (sysctl net.inet.udp.blackhole=1) and try to ssh to a given machine, the connection stops on: (..) debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT After some time (IE, after _some_ timeout) it continues to the authentication stuff and everything works as it should. I find this delay pretty iritating. It touched me that it only happens on machines on which I don't have named running.. I tcpdumped lo0 on such machine and that's what I got: 20:48:42.738508 10.0.1.2.1064 > 10.0.1.2.53: 4817+ PTR? 2.1.0.10.in-addr.arpa. (39) 20:48:42.738729 10.0.1.2.1065 > 10.0.1.2.53: 4817+ PTR? 2.1.0.10.in-addr.arpa. (39) 20:48:42.738833 10.0.1.2.1066 > 10.0.1.2.53: 4817+ PTR? 2.1.0.10.in-addr.arpa. (39) 20:48:42.738930 10.0.1.2.1067 > 10.0.1.2.53: 4817+ PTR? 2.1.0.10.in-addr.arpa. (39) Well, well. [21:05] mizantrop:~(8)# cat /etc/resolv.conf nameserver 10.0.1.10 nameserver 10.0.1.11 But.. of course. It doesn't happen when I turn off the UsePrivilegeSeparation. chroot()ed unprivileged process does not have access to /etc/resolv.conf, so it tries to ask on local interface.. and waits for a timeout. >How-To-Repeat: sysctl net.inet.udp.blackhole=1 Configure sshd to use privilege separation. Set nameservers for this machine. Kill named or any DNS cache daemon, if needed. Launch sshd. And then try to ssh to this host. tcpdump on lo0 for proof that sshd sends RevDNS queries to localhost. >Fix: A simple solution would be just creating etc/resolv.conf in the chroot()ed environment or to force sshd not to check RevDNS when in privilege separation mode. Or maybe we should pass the value of /etc/resolv.conf to the unprivileged process before chroot(), and then force it to use these rather then default /etc/resolv.conf? >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207221938.g6MJcrG00471>