Date: Tue, 18 Mar 2003 18:04:30 -0800 (PST) From: Patrick <patrick@stealthgeeks.net> To: Peter Jeremy <peter.jeremy@alcatel.com.au> Cc: freebsd-stable@freebsd.org Subject: Re: Slow ssh login Message-ID: <20030318174852.T3805@rockstar.stealthgeeks.net> In-Reply-To: <20030319010311.GO90290@gsmx07.alcatel.com.au> References: <20030319010311.GO90290@gsmx07.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 19 Mar 2003, Peter Jeremy wrote:
> The "privilege separation" process does a chroot to /var/empty and
> then tried to do a reverse lookup on the IP address of the incoming
> client. Since there's no /etc/host.conf (or /etc/hosts) within the
> chroot tree, it falls back to doing a DNS lookup on d.c.b.a.in-addr.arpa
> and this fails because the nameserver is not currently accessible
> (it knows where to ask because the PrivSep processes parent has had
> a look through resolv.conf before fork()ing).
>
> Since the addresses in question are all private addresses that don't
> exist in the DNS (I use /etc/hosts for them all), the DNS lookup isn't
> going to return useful information in any case.
>
> Has anyone else bumped into this? What is the recommended solution?
> The two solutions I can think of are:
> 1) Install /etc/host.conf and /etc/hosts into /var/empty. This raises
> the difficulty of remembering to keep them up to date.
> 2) Running a local named that is authoritative for my private addresses.
> I'd prefer not to do this for a variety of reasons.
3) Configure split-horizon DNS so that only those within your local
network see local information and/or
4) Turn off reverse address lookups in ssh. There are largely two
different schools of thought on their value, one of which has a
reasonable argument for reverse lookups being pretty much pointless
given how little it is configured properly/data is accurate combined with
the marginal security value/false sense of security it offers(without
"secure" DNS offering authenticated responses) and/or
5) Instead of installing BIND, install a caching-only resolver such as
DJB's dnscache in your chroot.
I'd personally do 3, and maybe 4. Whatever you do, consider getting rid of
/etc/hosts. It can cause no end of fun when things get out of sync
(especially when configured to be consulted first.)
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Patrick Greenwell
Asking the wrong questions is the leading cause of wrong answers
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030318174852.T3805>