From owner-freebsd-stable@FreeBSD.ORG Mon Sep 22 12:35:55 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3871516A4B3 for ; Mon, 22 Sep 2003 12:35:55 -0700 (PDT) Received: from mail-efg1.york.ac.uk (mail-efg1.york.ac.uk [144.32.128.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05EBF43FEA for ; Mon, 22 Sep 2003 12:35:54 -0700 (PDT) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: from ury.york.ac.uk (ury.york.ac.uk [144.32.108.81]) by mail-efg1.york.ac.uk (8.12.9/8.12.9) with ESMTP id h8MJZm1B019814; Mon, 22 Sep 2003 20:35:48 +0100 (BST) Received: from ury.york.ac.uk (localhost.york.ac.uk [127.0.0.1]) by ury.york.ac.uk (8.12.8p1/8.12.8) with ESMTP id h8MJZm4Z012369; Mon, 22 Sep 2003 20:35:48 +0100 (BST) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: from localhost (gavin@localhost)h8MJZlqm012366; Mon, 22 Sep 2003 20:35:47 +0100 (BST) X-Authentication-Warning: ury.york.ac.uk: gavin owned process doing -bs Date: Mon, 22 Sep 2003 20:35:47 +0100 (BST) From: Gavin Atkinson X-X-Sender: gavin@ury.york.ac.uk To: Pete French In-Reply-To: Message-ID: <20030922202805.E11498@ury.york.ac.uk> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-York-MailScanner: Found to be clean cc: stable@freebsd.org Subject: RE: Very slow SSh since upgrading machines to RELENG_4_8 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2003 19:35:55 -0000 On Mon, 22 Sep 2003, Pete French wrote: > > This sounds suspiciously like DNS timing out. I seem to remember this is > > due to the fact the default config of sshd now enables privilege > > seperation. sshd chroots into /var/empty and therefore can't access > > /etc/hosts, /etc/nsswitch.conf, /etc/resolv.conf etc. > > O.K., that sounds like its the problems - though doesnt explain why the > timeout only occurrs between machines on the same subnet, rather than > those on differing subnets. I'll give it a go. Possibly the split > horizon DNS should be my best option, though its not something I;ve > ever done before and am thus slightly reticent... Before going down this route, it may be worth testing to make sure this is the cause by setting "UsePrivilegeSeparation No" in sshd_config. This configuration is less secure however, so while you can test it it's probably not a good idea to use it in production. As to why it only affects machines on the same subnet, without knowing more about the network it's hard to say. Are the two subnets within the same domain and served by the same DNS servers, or are all hosts in each other's host files? Does each machine have an entry in it's own host file? Try running tcpdump to see what DNS requests (if any) are actually going out on the wire, and which server they are aimed at, though I have a suspision you won't see any DNS requests. Gavin