From owner-freebsd-stable@FreeBSD.ORG Fri Feb 17 21:34:09 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B9CE16A420 for ; Fri, 17 Feb 2006 21:34:09 +0000 (GMT) (envelope-from atanas@asd.aplus.net) Received: from pro20.abac.com (pro20.abac.com [66.226.64.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A223643D45 for ; Fri, 17 Feb 2006 21:34:08 +0000 (GMT) (envelope-from atanas@asd.aplus.net) Received: from [216.55.129.41] (asd0.aplus.net [216.55.129.41]) (authenticated bits=0) by pro20.abac.com (8.13.4/8.13.4) with ESMTP id k1HLY6eP075132; Fri, 17 Feb 2006 13:34:07 -0800 (PST) (envelope-from atanas@asd.aplus.net) Message-ID: <43F64321.9020409@asd.aplus.net> Date: Fri, 17 Feb 2006 13:41:53 -0800 From: Atanas User-Agent: Thunderbird 1.5 (X11/20051201) MIME-Version: 1.0 To: Mike Tancsa References: <59e2ee810512250841t75157e62rec9dc389ac716534@mail.gmail.com> <20051227101621.GA16276@walton.maths.tcd.ie> <86irrfoix5.fsf@xps.des.no> <43F4E3B0.1090806@asd.aplus.net> <43F514BD.608@cytexbg.com> <43F5322C.1090603@asd.aplus.net> <6.2.3.4.0.20060217144657.08e16cc8@64.7.153.2> In-Reply-To: <6.2.3.4.0.20060217144657.08e16cc8@64.7.153.2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 1.47 (SPF_SOFTFAIL) Cc: freebsd-stable@freebsd.org Subject: Re: SSH login takes very long time...sometimes X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 21:34:09 -0000 Mike Tancsa said the following on 02/17/06 11:50: > At 09:17 PM 16/02/2006, Atanas wrote: > >> Does anybody know whether ipfw (or something else within FreeBSD-4) is >> capable of setting connection rate limits? > > Why not just launch sshd out of inetd ? > Primarily because of the big scare sign in the sshd man page: -i Specifies that sshd is being run from inetd(8). sshd is normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of ^^^^^^^ seconds. Clients would have to wait too long if the key was ^^^^^^^ regenerated every time. However, with small key sizes (e.g., 512) using sshd from inetd may be feasible. It was my fault not verifying how much time it really takes. I just tested it on a couple of machines, and it seems to be way faster: # time ssh blah@6-STABLE-2048-bit-inetd real 0m0.669s user 0m0.012s sys 0m0.000s # time ssh blah@5-STABLE-1024-bit-inetd real 0m0.374s user 0m0.000s sys 0m0.008s # time ssh blah@5-STABLE-1024-bit-daemon real 0m0.348s user 0m0.000s sys 0m0.008s I ran this multiple times. The first one defaults to 2048-bit key (a 6-STABLE based box), the second one - to 1048 bit (5.4), the third one to a standalone ssh daemon. So what the man page says about the timings could have been true some 10 years ago, but not now. > Start up inetd with -wWl -C 5 > > In inetd.conf > ssh stream tcp nowait root /usr/sbin/sshd /usr/sbin/sshd -i > > This will allow 5 connections per min from a single IP. > Yeah, I still use it to run (pro)ftpd, and never had problems with that. It's possible to specify also per entry limits, like: ftp stream tcp nowait/100/60/10 root /usr/libexec/ftpd ftpd -l ssh stream tcp nowait/50/10/5 root /usr/sbin/sshd sshd -i 50/10/5 = max-children/max-conn-per-ip-per-minute/max-child-per-ip Regards, Atanas