From owner-freebsd-questions@FreeBSD.ORG  Thu Feb 26 15:40:00 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CCA9916A4CE
	for <questions@freebsd.org>; Thu, 26 Feb 2004 15:40:00 -0800 (PST)
Received: from norton.palomine.net (norton.palomine.net [66.93.48.52])
	by mx1.FreeBSD.org (Postfix) with SMTP id 4D32743D2D
	for <questions@freebsd.org>; Thu, 26 Feb 2004 15:40:00 -0800 (PST)
	(envelope-from dcj-qnotice-b71150b-questions=freebsd.org@palomine.net)
Received: (qmail 96712 invoked by uid 1000); 26 Feb 2004 23:39:59 -0000
Message-ID: <20040226233959.96711.qmail@569a6198194762.e01ba3ee4a6096.palomine.net>
Date: Thu, 26 Feb 2004 18:39:59 -0500
From: Chris Johnson <dcj-expires-8251366.elmfb@palomine.net>
To: questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
Subject: ssh/DNS timeout issue
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2004 23:40:00 -0000

I've installed FreeBSD-5.2.1-RELEASE on two different boxes, and they're both
exhibiting the same odd problem with DNS timeouts on ssh logins. Before you
say, "Fix your reverse DNS!," please hear me out.

When I make an ssh connection to one of these boxes, I get a password prompt
instantly--there's no delay at all. I watch the DNS server's log and I see the
reverse DNS request being asked and answered. After I enter the correct
password, however, I get the long delay, and as I watch the DNS server's log I
see the reverse DNS request being asked and answered repeatedly, but the answer
apparently isn't being received.

If I copy ~/.ssh/id_dsa.pub on the client to ~/.ssh/authorized_keys on the box
to which I'm trying to connect and then log in using public key authentication,
then I can log in without any DNS delays.

If I use opie passwords to log in, I get the same DNS delay. If, however, I
just hit Enter instead of entering my opie password until I'm presented with a
regular password prompt and then enter my password, then I can log in with no
DNS delay.

It occurs to me that the common denominator is PAM. When PAM becomes involved
with my logging in, I get the long delays. I changed
ChallengeResponseAuthentication to "no" in sshd_config, restarted sshd, and
sure enough the delays vanished. I need opie passwords, however, so this isn't
an option for me.

Everything in sshd_config is set to the default, except that I allow only
protocol 2.

Does anyone know what the deal is?

Chris Johnson