Date: Sat, 1 Feb 2003 21:53:10 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Michael Bryan <fbsd-secure@ursine.com> Cc: Ralph Dratman <ralph@maxsoft.com>, freebsd-security@FreeBSD.ORG Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate Message-ID: <20030202035310.GA14640@opus.celabo.org> In-Reply-To: <3E3B1D71.21CFBD42@ursine.com> References: <v04210102ba60a5a98b9c@[192.168.1.27]> <3E3B1D71.21CFBD42@ursine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 31, 2003 at 05:05:53PM -0800, Michael Bryan wrote: > There was a bug in older versions of OpenSSH, with symptoms exactly > matching what you're seeing. For every connection, sshd would do > a DNS lookup of the special krb5-realm domain. (It did this even > if Kerberos support was disabled.) However, it would start out by > looking for krb5-realm.yoursubdomain.yourdomain.com, which is fine. > Then it would start stepping up the tree, checking for krb5-realm.yourdomain.com, > then krb5-realm.com. If the nameservers setup to host krb5-realm.com > stop responding to requests, then these DNS lookups take a long time, > waiting to eventually timeout. Actually, that was a Heimdal (not OpenSSH) mis-feature. See src/crypto/heimdal/lib/krb5/get_host_realm.c:dns_find_realm for the current state of affairs. Cheers, -- Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030202035310.GA14640>