From owner-freebsd-questions@freebsd.org Thu Jul 19 20:59:15 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3497F104AC52 for ; Thu, 19 Jul 2018 20:59:15 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BAD667C1AC for ; Thu, 19 Jul 2018 20:59:14 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x234.google.com with SMTP id i18-v6so8225435ioj.13 for ; Thu, 19 Jul 2018 13:59:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=JOG/T71nXMqsk5/5DURXyTqOfOdFK+LyrDzwWgn5YGY=; b=DogygylOcrZdXw/ZfHpa4Za9Z2syv4MPqEwvxLXQYVVxYUOt3Y/2VbT/PtRCKQm3gb B5VupIdC+xdQ4eY0MBzgppC/zVp++xSs919shBKEKpnNQL7Z2rekPFO1QYGKah3/jAzD HD61IB/Zqj0rwFoGQ9DxW+tdNF60KXBKZZuqzn+iDoF8ggB4fYSvpSkrbPnGZjRvHnjA HffV9jfC3xoPdt0odeqWylEL0Ys4XP+iI8XYF7k4esHMTTP0d0YlEY8haq7m6jhIF5cg nLaaB3JIxsdJ41Y/LefMZRGL/aybWFn0JmHY106aRK9HaXJYgkrcUf1xV7UtYrezyfTH IhJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=JOG/T71nXMqsk5/5DURXyTqOfOdFK+LyrDzwWgn5YGY=; b=WxhrwTswHiERE15eD4UPJEvN789GCI5OAKch1PqEmF7MDuXMf5VVDe8IYsjS9L5ZRI X2DrSF2dEQMyJXYBeY1WGWcXXZxyi+cUPeoIRTAQAdHF/KN3BDBQgkJMwL0OJIhiPRzK LlbcLKA9sW6+KwObLB6joYQQGY0r5py8iuckEdSGI1d4jg7pwi2aGoBG4yUT1RCzux4Z dLcAyHlAxF3RXPBgqHrKJdgj4nofd7plitEaNx3aahgcu3YybJIZZ7VOG9reDhpoM5WQ tABo+IEoFtAmkXY6ci5qTHqi/P1CqCCCRK29qbYZi/WUl91f2TFmmqlZFVnITVGU/9Bl +lOQ== X-Gm-Message-State: AOUpUlH1ef8qVy2Uqk92BCTwgr1gLmSa2FMkkfcA4+VIzMxQfPBJWwq+ 3Co7BNyuz10mZH5L/q087gt9phlS X-Google-Smtp-Source: AAOMgpdaNxY5nQiEOj50CIyKrWv9UzhGMswp6HMbGg0Wr3NAzsM6pcwIQC0wl7PbSTisyTXhxeDJHw== X-Received: by 2002:a6b:5008:: with SMTP id e8-v6mr10405667iob.73.1532033954229; Thu, 19 Jul 2018 13:59:14 -0700 (PDT) Received: from [10.0.10.7] (cpe-65-25-48-31.neo.res.rr.com. [65.25.48.31]) by smtp.googlemail.com with ESMTPSA id i3-v6sm239718iti.40.2018.07.19.13.59.05 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 19 Jul 2018 13:59:13 -0700 (PDT) Message-ID: <5B50FB91.4080903@gmail.com> Date: Thu, 19 Jul 2018 16:58:57 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: byrnejb@harte-lyne.ca CC: freebsd-questions@freebsd.org Subject: Re: FreeBSD-11.1 Jails and SSL References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 20:59:15 -0000 James B. Byrne via freebsd-questions wrote: > I notice a distinct delay when connecting to a jail using ssh. There > is no delay when I connect to the jail's host. The jail is running > local_unbound and sshd_config contains the same settings as the host, > with the necessary changes for the service IP and such. > > I ran ssh with -vv and the connection is instantaneous up to this point: > > . . . > debug1: SSH2_MSG_NEWKEYS received > debug2: key: /root/.ssh/id_rsa (0x80208e200) > debug2: key: /root/.ssh/id_dsa (0x0) > debug2: key: /root/.ssh/id_ecdsa (0x80208e180) > debug2: key: /root/.ssh/id_ed25519 (0x80208e040) > debug1: SSH2_MSG_EXT_INFO received > debug1: Fssh_kex_input_ext_info: > server-sig-algs= > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > > Then there is a long delay (~18s) after which the pre login text appears > > !Warning!! - Any deliberate attempt to access this resource without > legitimate authorization is a criminal offence > (R.S.C. 1985, c. C-46 - Section 342.1). > debug1: Authentications that can continue: publickey,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /root/.ssh/id_rsa > debug2: we sent a publickey packet, wait for reply > debug1: Server accepts key: pkalg rsa-sha2-512 blen 535 > debug2: input_userauth_pk_ok: fp > SHA256:cJBXJBwve7zD8D1AM24vWsFYwrhz68ntuYbEiaxLp94 > > Then another delay of approximately 13s before the login prompt appears. > > Connecting to that jail's host exhibits no delay whatsoever. The > uptime counts on both the jail and the host are similar. > > Jail: 4:08PM up 15 days, 5:25, 1 users, load averages: 0.28, 0.43, 0.41 > > Host: 4:09PM up 15 days, 5:26, 2 users, load averages: 0.32, 0.42, 0.41 > > What is the reason for the dependency in the connection times? How is > it fixed? > I login into my jails using ssh all the time without any problems. local_unbound means local as on the host not a jail. Disable local_unbound in the jail and ssh to the jail will work as intended.