From owner-freebsd-questions  Sat Jun 29  3:58:59 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A39EE37B405
	for <questions@FreeBSD.ORG>; Sat, 29 Jun 2002 03:58:53 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2A15843E0A
	for <questions@FreeBSD.ORG>; Sat, 29 Jun 2002 03:58:51 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])
	by smtp.infracaninophile.co.uk (8.12.4/8.12.4) with ESMTP id g5TAwntD016672;
	Sat, 29 Jun 2002 11:58:49 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)
	by happy-idiot-talk.infracaninophile.co.uk (8.12.4/8.12.4/Submit) id g5TAwh7N016671;
	Sat, 29 Jun 2002 11:58:43 +0100 (BST)
Date: Sat, 29 Jun 2002 11:58:43 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: FreeBSD user <freebsd@XtremeDev.com>
Cc: questions@FreeBSD.ORG
Subject: Re: OpenSSH 3.4p1_1 and reverse ip
Message-ID: <20020629105843.GA15592@happy-idiot-talk.infracaninophi>
References: <20020628190401.E7121-200000@Amber.XtremeDev.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020628190401.E7121-200000@Amber.XtremeDev.com>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, Jun 28, 2002 at 07:06:55PM -0600, FreeBSD user wrote:

> After installing OpenSSH 3.4p1_1-portable (overwriting the one in base
> with -DOPENSSH_OVERWRITE_BASE) and restarting it, /usr/sbin/sshd keeps
> taking ~3-~5 minutes trying to reverse/resolve connecting client ips, even
> though I specifically told it not to in /etc/ssh/sshd_config. On top of
> which, the connecting ip IS reversable, I've checked with nslookup.
> Attached is my sshd_config.

So the problem is that really that your DNS isn't responding quickly
enough, rather than sshd doing a few resolver calls.  One thing that
does happen with the privilege separation is the chroot'ed sshd
won't be able to read /etc/resolv.conf, so any queries it makes would
go to the default address which happens to be 127.0.0.1

Try running these two:

   tcpdump port 53
   tcpdump -i lo0
   
to see if you can trace any DNS traffic generated while you ssh into
the box.  I've run a few tests on those lines on machine both with and
without local nameservers, where OpenSSH runs fine.

Without a local nameserver I get this:

claudette:/home/matthew:# tcpdump -n -i lo0
tcpdump: listening on lo0
11:46:40.950297 192.168.0.77.1226 > 192.168.0.77.53:  27743+ PTR? 4.0.168.192.in-addr.arpa. (42)
11:46:40.950351 192.168.0.77 > 192.168.0.77: icmp: 192.168.0.77 udp port 53 unreachable
11:46:40.950473 192.168.0.77.1227 > 192.168.0.77.53:  27743+ PTR? 4.0.168.192.in-addr.arpa. (42)
11:46:40.950510 192.168.0.77 > 192.168.0.77: icmp: 192.168.0.77 udp port 53 unreachable
11:46:40.950577 192.168.0.77.1228 > 192.168.0.77.53:  27743+ PTR? 4.0.168.192.in-addr.arpa. (42)
11:46:40.950611 192.168.0.77 > 192.168.0.77: icmp: 192.168.0.77 udp port 53 unreachable
11:46:40.950677 192.168.0.77.1229 > 192.168.0.77.53:  27743+ PTR? 4.0.168.192.in-addr.arpa. (42)
11:46:40.950712 192.168.0.77 > 192.168.0.77: icmp: 192.168.0.77 udp port 53 unreachable

and with a local nameserver I get this:

happy-idiot-talk:/home/matthew:# tcpdump -n -i lo0
tcpdump: listening on lo0
11:48:17.622104 127.0.0.1.2284 > 127.0.0.1.53:  44276+ PTR? 87.155.172.212.in-addr.arpa. (45)
11:48:17.622264 127.0.0.1.53 > 127.0.0.1.2284:  44276 1/2/2 PTR[|domain]
11:48:17.624741 127.0.0.1.2285 > 127.0.0.1.53:  22212+ PTR? 87.155.172.212.in-addr.arpa. (45)
11:48:17.624915 127.0.0.1.53 > 127.0.0.1.2285:  22212 1/2/2 PTR[|domain]

My guess is that there's something bound to 127.0.0.1:53 on your
machine so that you don't get an immediate ICMP port unreachable, but
that what's bound there isn't returning any meaningful DNS data, and
your sshd ends up waiting for the standard 30s DNS timeout for however
many retries the resolver attempts.

Now, I don't believe that this can really be the official solution,
however, it's worth trying giving the chroot'ed sshd a copy of your
resolv.conf to see if that makes a difference:

   cd ~sshd
   mkdir etc
   cp /etc/resolv.conf etc/

> Another of note, I'm not using BIND, I'm using djbdns, both tinydns and
> dnscache on the box running the sshd.

That shouldn't make any difference.

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
Tel: +44 1628 476614                                  Marlow
Fax: +44 0870 0522645                                 Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message