Date: Mon, 22 Sep 2003 20:35:47 +0100 (BST) From: Gavin Atkinson <gavin.atkinson@ury.york.ac.uk> To: Pete French <pfrench@firstcallgroup.co.uk> Cc: stable@freebsd.org Subject: RE: Very slow SSh since upgrading machines to RELENG_4_8 Message-ID: <20030922202805.E11498@ury.york.ac.uk> In-Reply-To: <E1A1Sn8-0008Ss-00@mailhost.firstcallgroup.co.uk> References: <E1A1Sn8-0008Ss-00@mailhost.firstcallgroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 22 Sep 2003, Pete French wrote: > > This sounds suspiciously like DNS timing out. I seem to remember this is > > due to the fact the default config of sshd now enables privilege > > seperation. sshd chroots into /var/empty and therefore can't access > > /etc/hosts, /etc/nsswitch.conf, /etc/resolv.conf etc. > > O.K., that sounds like its the problems - though doesnt explain why the > timeout only occurrs between machines on the same subnet, rather than > those on differing subnets. I'll give it a go. Possibly the split > horizon DNS should be my best option, though its not something I;ve > ever done before and am thus slightly reticent... Before going down this route, it may be worth testing to make sure this is the cause by setting "UsePrivilegeSeparation No" in sshd_config. This configuration is less secure however, so while you can test it it's probably not a good idea to use it in production. As to why it only affects machines on the same subnet, without knowing more about the network it's hard to say. Are the two subnets within the same domain and served by the same DNS servers, or are all hosts in each other's host files? Does each machine have an entry in it's own host file? Try running tcpdump to see what DNS requests (if any) are actually going out on the wire, and which server they are aimed at, though I have a suspision you won't see any DNS requests. Gavin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030922202805.E11498>