From owner-freebsd-stable@FreeBSD.ORG Fri Dec 23 22:26:44 2005 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 000A916A41F for ; Fri, 23 Dec 2005 22:26:43 +0000 (GMT) (envelope-from jrtanis@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 335E543D5A for ; Fri, 23 Dec 2005 22:26:43 +0000 (GMT) (envelope-from jrtanis@gmail.com) Received: by nproxy.gmail.com with SMTP id l37so259538nfc for ; Fri, 23 Dec 2005 14:26:41 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=e37FqaJ3aZKLj5SQImv2mtkLXCV3za8qk+ktp/iWr9L+MYAaP5h6SPEOTsc9iadp1t4f5hxI2RM8sEs66MWtgh9ZL8RjrUYG3W8WgmRye/VfXG1KRnFJ+HsX66rf5+TthuDpTdhlYZTM/+tOLRiTON1w3T8sSRLQmcDR1hsmSxk= Received: by 10.48.254.13 with SMTP id b13mr159831nfi; Fri, 23 Dec 2005 14:26:41 -0800 (PST) Received: by 10.48.216.10 with HTTP; Fri, 23 Dec 2005 14:26:41 -0800 (PST) Message-ID: <65dcde740512231426u199dea1aob6c54b89056c7a82@mail.gmail.com> Date: Fri, 23 Dec 2005 17:26:41 -0500 From: James Tanis Sender: jrtanis@gmail.com To: Lowell Gilbert In-Reply-To: <44irtf3mxr.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43ABF6E4.2090908@ll.mit.edu> <001301c607c4$e04e2540$80cea8c0@home1> <43AC0160.4070108@kernel32.de> <44irtf3mxr.fsf@be-well.ilk.org> Cc: stable@freebsd.org, "Michael A. Koerber" , Marian Hettwer Subject: Re: SSH login takes very long time...sometimes X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2005 22:26:44 -0000 What reason is that? A reverse-lookup is no longer really a valid way of filtering out the undesireable unless your lucky enough to be dealing only with those who have the knowledge and ability to control those entries. Most residential ips either have no reverse-lookup or it's set to some long painful textual conglomeration devised by the isp (although at the isp I work at we will set it per some users requests..). Anyway, to make a long story short, you end up locking out or at the very least delaying (for up to several minutes) the very people who use it. I can definately see the sysadmin side of it though were its used perhaps to remotely access a data center from a satellite location -- you don't much want or care that a residential ip has problems connecting to the server. It just definately doesn't seem to me a "last resort" option, at the drop of a hat someone can change their hostname to match their reverse dns and back again -- setting up a good packet filter to filter out all but the desired ip ranges seems a much more reliable method. On 23 Dec 2005 09:30:56 -0500, Lowell Gilbert wrote: > Marian Hettwer writes: > > > Hej there, > > > > Kobi Shmueli wrote: > > > Try checking /etc/resolv.conf on oboe first, adding a static entry to > > > /etc/hosts of the remote ip/host should speed dns checks as well. > > > You can also run ssh in verbose mode (ssh -v oboe) or/and run sshd in= debug > > > mode (sshd -d). > > > > > alternativly to check out wether it's dns related, you use set the > > Option "UseDNS no" in your sshd_config, so sshd won't try a reverse > > dns lookup. > > Give it a shoot. Usually ssh timeouts are related to DNS... > > That should be a last resort; the hostname checks are there for a > reason... > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -- James Tanis jtanis@pycoder.org http://pycoder.org