Date: Fri, 23 Dec 2005 17:26:41 -0500 From: James Tanis <jtanis@pycoder.org> To: Lowell Gilbert <freebsd-stable-local@be-well.ilk.org> Cc: stable@freebsd.org, "Michael A. Koerber" <mak@ll.mit.edu>, Marian Hettwer <MH@kernel32.de> Subject: Re: SSH login takes very long time...sometimes Message-ID: <65dcde740512231426u199dea1aob6c54b89056c7a82@mail.gmail.com> In-Reply-To: <44irtf3mxr.fsf@be-well.ilk.org> References: <43ABF6E4.2090908@ll.mit.edu> <001301c607c4$e04e2540$80cea8c0@home1> <43AC0160.4070108@kernel32.de> <44irtf3mxr.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
What reason is that? A reverse-lookup is no longer really a valid way of filtering out the undesireable unless your lucky enough to be dealing only with those who have the knowledge and ability to control those entries. Most residential ips either have no reverse-lookup or it's set to some long painful textual conglomeration devised by the isp (although at the isp I work at we will set it per some users requests..). Anyway, to make a long story short, you end up locking out or at the very least delaying (for up to several minutes) the very people who use it. I can definately see the sysadmin side of it though were its used perhaps to remotely access a data center from a satellite location -- you don't much want or care that a residential ip has problems connecting to the server. It just definately doesn't seem to me a "last resort" option, at the drop of a hat someone can change their hostname to match their reverse dns and back again -- setting up a good packet filter to filter out all but the desired ip ranges seems a much more reliable method. On 23 Dec 2005 09:30:56 -0500, Lowell Gilbert <freebsd-stable-local@be-well.ilk.org> wrote: > Marian Hettwer <MH@kernel32.de> writes: > > > Hej there, > > > > Kobi Shmueli wrote: > > > Try checking /etc/resolv.conf on oboe first, adding a static entry to > > > /etc/hosts of the remote ip/host should speed dns checks as well. > > > You can also run ssh in verbose mode (ssh -v oboe) or/and run sshd in= debug > > > mode (sshd -d). > > > > > alternativly to check out wether it's dns related, you use set the > > Option "UseDNS no" in your sshd_config, so sshd won't try a reverse > > dns lookup. > > Give it a shoot. Usually ssh timeouts are related to DNS... > > That should be a last resort; the hostname checks are there for a > reason... > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -- James Tanis jtanis@pycoder.org http://pycoder.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65dcde740512231426u199dea1aob6c54b89056c7a82>