From owner-freebsd-stable Tue Mar 18 18: 4:33 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA44137B401 for ; Tue, 18 Mar 2003 18:04:31 -0800 (PST) Received: from stealthgeeks.net (h-66-134-120-173.LSANCA54.covad.net [66.134.120.173]) by mx1.FreeBSD.org (Postfix) with SMTP id 2FA8243F3F for ; Tue, 18 Mar 2003 18:04:31 -0800 (PST) (envelope-from patrick@stealthgeeks.net) Received: (qmail 4018 invoked by uid 1001); 19 Mar 2003 02:04:30 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Mar 2003 02:04:30 -0000 Date: Tue, 18 Mar 2003 18:04:30 -0800 (PST) From: Patrick To: Peter Jeremy Cc: freebsd-stable@freebsd.org Subject: Re: Slow ssh login In-Reply-To: <20030319010311.GO90290@gsmx07.alcatel.com.au> Message-ID: <20030318174852.T3805@rockstar.stealthgeeks.net> References: <20030319010311.GO90290@gsmx07.alcatel.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 19 Mar 2003, Peter Jeremy wrote: > The "privilege separation" process does a chroot to /var/empty and > then tried to do a reverse lookup on the IP address of the incoming > client. Since there's no /etc/host.conf (or /etc/hosts) within the > chroot tree, it falls back to doing a DNS lookup on d.c.b.a.in-addr.arpa > and this fails because the nameserver is not currently accessible > (it knows where to ask because the PrivSep processes parent has had > a look through resolv.conf before fork()ing). > > Since the addresses in question are all private addresses that don't > exist in the DNS (I use /etc/hosts for them all), the DNS lookup isn't > going to return useful information in any case. > > Has anyone else bumped into this? What is the recommended solution? > The two solutions I can think of are: > 1) Install /etc/host.conf and /etc/hosts into /var/empty. This raises > the difficulty of remembering to keep them up to date. > 2) Running a local named that is authoritative for my private addresses. > I'd prefer not to do this for a variety of reasons. 3) Configure split-horizon DNS so that only those within your local network see local information and/or 4) Turn off reverse address lookups in ssh. There are largely two different schools of thought on their value, one of which has a reasonable argument for reverse lookups being pretty much pointless given how little it is configured properly/data is accurate combined with the marginal security value/false sense of security it offers(without "secure" DNS offering authenticated responses) and/or 5) Instead of installing BIND, install a caching-only resolver such as DJB's dnscache in your chroot. I'd personally do 3, and maybe 4. Whatever you do, consider getting rid of /etc/hosts. It can cause no end of fun when things get out of sync (especially when configured to be consulted first.) /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Asking the wrong questions is the leading cause of wrong answers \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message