Date: Sat, 13 Mar 2004 13:17:05 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Sameer <ssheikh2000@hotmail.com> Cc: questions@freebsd.org Subject: Re: it takes a long long long time to time-out a login attempt Message-ID: <20040313131705.GE98015@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <BAY2-DAV64e0NdTET4Q0002791e@hotmail.com> References: <BAY2-DAV64e0NdTET4Q0002791e@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--lteA1dqeVaWQ9QQl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 13, 2004 at 04:21:58AM -0800, Sameer wrote: > I'm trying to ssh into my FreeBSD (5.2.1-release sparc version) box from = my > desktop, however, it'll take a few seconds for the "login as" prompt to > appear. I enter my the user name and hit enter. the login attempt then s= its > there for about 90 seconds w/o asking for the password, then the connecti= on > times out. >=20 > =20 >=20 > Any ideas what's causing this? Do I need to put the workstation's > information into the hosts file or something? >=20 > =20 >=20 > The funny thing is that when I ssh from another server that's on the same > VLAN as the FreeBSD box (I should mention that the workstation is on a > different VLAN) the login process happens immediately. Sounds like classic DNS timeout problems. When you ssh into a box, it will look up the IP number you're coming from in the DNS, and then lookup the hostname it derives from that to make sure that the IP number appears as listed for that address. This is a measure to prevent people spoofing some other hostname and so getting increased access. The problem is not so much that there isn't a record for the machine your coming from accessible to the target machine, but that the attempt to lookup the address/IP numbers never returns any (even an error) response. That forces the resolver on the target machine to wait for the full DNS timeout period (30s per server), which feels a lot longer than it sounds. If your target machine is unable to access the Internet root servers you'll see this sort of effect. The answer is to generate your own root zone on the servers on your intranet -- the 'DNS and BIND' book by Ablitz and Liu will explain how to do that, and there are no doubt many HOWTOs you can Google for. Given this fake root zone, your servers should return an NXDomain error within milliseconds for any address it doesn't have any record of. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --lteA1dqeVaWQ9QQl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAUwnRdtESqEQa7a0RArbXAJ9r2QqKtRjAaKsDNOBRqLdMaB1M4ACeNE+g zZQpqArbDy/LmYbDe5if12c= =d6ZC -----END PGP SIGNATURE----- --lteA1dqeVaWQ9QQl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040313131705.GE98015>