Date: Sat, 29 Jun 2002 11:58:43 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: FreeBSD user <freebsd@XtremeDev.com> Cc: questions@FreeBSD.ORG Subject: Re: OpenSSH 3.4p1_1 and reverse ip Message-ID: <20020629105843.GA15592@happy-idiot-talk.infracaninophi> In-Reply-To: <20020628190401.E7121-200000@Amber.XtremeDev.com> References: <20020628190401.E7121-200000@Amber.XtremeDev.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 28, 2002 at 07:06:55PM -0600, FreeBSD user wrote:
> After installing OpenSSH 3.4p1_1-portable (overwriting the one in base
> with -DOPENSSH_OVERWRITE_BASE) and restarting it, /usr/sbin/sshd keeps
> taking ~3-~5 minutes trying to reverse/resolve connecting client ips, even
> though I specifically told it not to in /etc/ssh/sshd_config. On top of
> which, the connecting ip IS reversable, I've checked with nslookup.
> Attached is my sshd_config.
So the problem is that really that your DNS isn't responding quickly
enough, rather than sshd doing a few resolver calls. One thing that
does happen with the privilege separation is the chroot'ed sshd
won't be able to read /etc/resolv.conf, so any queries it makes would
go to the default address which happens to be 127.0.0.1
Try running these two:
tcpdump port 53
tcpdump -i lo0
to see if you can trace any DNS traffic generated while you ssh into
the box. I've run a few tests on those lines on machine both with and
without local nameservers, where OpenSSH runs fine.
Without a local nameserver I get this:
claudette:/home/matthew:# tcpdump -n -i lo0
tcpdump: listening on lo0
11:46:40.950297 192.168.0.77.1226 > 192.168.0.77.53: 27743+ PTR? 4.0.168.192.in-addr.arpa. (42)
11:46:40.950351 192.168.0.77 > 192.168.0.77: icmp: 192.168.0.77 udp port 53 unreachable
11:46:40.950473 192.168.0.77.1227 > 192.168.0.77.53: 27743+ PTR? 4.0.168.192.in-addr.arpa. (42)
11:46:40.950510 192.168.0.77 > 192.168.0.77: icmp: 192.168.0.77 udp port 53 unreachable
11:46:40.950577 192.168.0.77.1228 > 192.168.0.77.53: 27743+ PTR? 4.0.168.192.in-addr.arpa. (42)
11:46:40.950611 192.168.0.77 > 192.168.0.77: icmp: 192.168.0.77 udp port 53 unreachable
11:46:40.950677 192.168.0.77.1229 > 192.168.0.77.53: 27743+ PTR? 4.0.168.192.in-addr.arpa. (42)
11:46:40.950712 192.168.0.77 > 192.168.0.77: icmp: 192.168.0.77 udp port 53 unreachable
and with a local nameserver I get this:
happy-idiot-talk:/home/matthew:# tcpdump -n -i lo0
tcpdump: listening on lo0
11:48:17.622104 127.0.0.1.2284 > 127.0.0.1.53: 44276+ PTR? 87.155.172.212.in-addr.arpa. (45)
11:48:17.622264 127.0.0.1.53 > 127.0.0.1.2284: 44276 1/2/2 PTR[|domain]
11:48:17.624741 127.0.0.1.2285 > 127.0.0.1.53: 22212+ PTR? 87.155.172.212.in-addr.arpa. (45)
11:48:17.624915 127.0.0.1.53 > 127.0.0.1.2285: 22212 1/2/2 PTR[|domain]
My guess is that there's something bound to 127.0.0.1:53 on your
machine so that you don't get an immediate ICMP port unreachable, but
that what's bound there isn't returning any meaningful DNS data, and
your sshd ends up waiting for the standard 30s DNS timeout for however
many retries the resolver attempts.
Now, I don't believe that this can really be the official solution,
however, it's worth trying giving the chroot'ed sshd a copy of your
resolv.conf to see if that makes a difference:
cd ~sshd
mkdir etc
cp /etc/resolv.conf etc/
> Another of note, I'm not using BIND, I'm using djbdns, both tinydns and
> dnscache on the box running the sshd.
That shouldn't make any difference.
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Tel: +44 1628 476614 Marlow
Fax: +44 0870 0522645 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020629105843.GA15592>