Date: Sat, 29 Jun 2002 05:50:23 -0600 (MDT) From: FreeBSD user <freebsd@XtremeDev.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: questions@FreeBSD.ORG Subject: Re: OpenSSH 3.4p1_1 and reverse ip Message-ID: <20020629053049.V67284-100000@Amber.XtremeDev.com> In-Reply-To: <20020629105843.GA15592@happy-idiot-talk.infracaninophi>
next in thread | previous in thread | raw e-mail | index | archive | help
> So the problem is that really that your DNS isn't responding quickly > enough, rather than sshd doing a few resolver calls. One thing that > does happen with the privilege separation is the chroot'ed sshd > won't be able to read /etc/resolv.conf, so any queries it makes would > go to the default address which happens to be 127.0.0.1 > > Try running these two: > > tcpdump port 53 > tcpdump -i lo0 > > to see if you can trace any DNS traffic generated while you ssh into > the box. I've run a few tests on those lines on machine both with and > without local nameservers, where OpenSSH runs fine. Running tcpdump -n -i lo0 port 53 I get: ~> sudo tcpdump -n -i lo0 port 53 tcpdump: listening on lo0 05:29:04.791666 216.241.38.65.1685 > 216.241.38.65.53: 50078+ PTR? 2.1.168.192.in-addr.arpa. (42) 05:29:09.867171 216.241.38.65.1686 > 216.241.38.65.53: 50078+ PTR? 2.1.168.192.in-addr.arpa. (42) 05:29:19.885317 216.241.38.65.1687 > 216.241.38.65.53: 50078+ PTR? 2.1.168.192.in-addr.arpa. (42) > My guess is that there's something bound to 127.0.0.1:53 on your > machine so that you don't get an immediate ICMP port unreachable, but > that what's bound there isn't returning any meaningful DNS data, and > your sshd ends up waiting for the standard 30s DNS timeout for however > many retries the resolver attempts. There is something bound to my 127.0.0.1: ~> sockstat | grep dns dnscache dnscache 147 3 udp4 192.168.1.1:53 *:* dnscache dnscache 147 4 tcp4 192.168.1.1:53 *:* tinydns tinydns 144 3 udp4 127.0.0.1:53 *:* tinydns tinydns 143 3 udp4 216.241.38.65:53 *:* This is my name server/dnscache machine/split horizon/gateway/sshd machine for my teeny pidly lan to the internet. So I have two copies of tinydns listening, one on my public ip which has no knowledge of the rfc1917 internal lan being natted, and one listening on 127.0.0.1 which does. Which I can see the above tcpdump query failing, since it's asking my public ip tinydns to resolve the 192.168.1.2 (internal workstation) address, which it can't. So how do I tell sshd to ask dnscache instead? Or atleast ask 127.0.0.1. (Strange that it doesn't?) > however, it's worth trying giving the chroot'ed sshd a copy of your > resolv.conf to see if that makes a difference: > > cd ~sshd > mkdir etc > cp /etc/resolv.conf etc/ Tried that. I copied resolv.conf to /home/sshd/, ran vipw and set: sshd:*:22:22::0:0:sshd privilege separation:/home/sshd:/nonexistent And reran sshd again. It didn't change anything. But anything at this point is worth trying. I appreciate the effort you've shown me. For now, I just hacked up canohost.c and just copied 'return xstrdup(ntop);' from line 81 to right before the getnameinfo() call on line 77. Forgoing the entire getnameinfo() lookup, since it's always going to fail anyways. But I'd rather not leave it like that. I'm almost certain it's my dns setup. Maybe I did PTR wrong in tinydns root? But even then, sshd doesn't seem to be asking 127.0.0.1 like it's suppose to. Grrrrrrr. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020629053049.V67284-100000>