From owner-freebsd-bugs Mon Jul 22 12:40:20 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6BA637B401 for ; Mon, 22 Jul 2002 12:40:06 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21F0E43E5E for ; Mon, 22 Jul 2002 12:40:06 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6MJe5JU079181 for ; Mon, 22 Jul 2002 12:40:05 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6MJe5gj079180; Mon, 22 Jul 2002 12:40:05 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ED0C37B400 for ; Mon, 22 Jul 2002 12:39:28 -0700 (PDT) Received: from mizantrop.expro.pl (int.expro.pl [217.96.124.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 356DD43E31 for ; Mon, 22 Jul 2002 12:39:25 -0700 (PDT) (envelope-from winfried@mizantrop.expro.pl) Received: (from winfried@localhost) by mizantrop.expro.pl (8.11.6/8.11.6) id g6MJcrG00471; Mon, 22 Jul 2002 21:38:53 +0200 (CEST) (envelope-from winfried) Message-Id: <200207221938.g6MJcrG00471@mizantrop.expro.pl> Date: Mon, 22 Jul 2002 21:38:53 +0200 (CEST) From: Jan Srzednicki To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/40894: OpenSSH weird delays Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 40894 >Category: bin >Synopsis: OpenSSH weird delays >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 22 12:40:04 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Jan Srzednicki >Release: FreeBSD 4.6.1-RELEASE i386 >Organization: expro.pl >Environment: System: FreeBSD mizantrop 4.6.1-RELEASE FreeBSD i386 >Description: I've noticed some strange behaviour of recent versions of OpenSSH sshd daemon. When I turn the UDP blackhole on (sysctl net.inet.udp.blackhole=1) and try to ssh to a given machine, the connection stops on: (..) debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT After some time (IE, after _some_ timeout) it continues to the authentication stuff and everything works as it should. I find this delay pretty iritating. It touched me that it only happens on machines on which I don't have named running.. I tcpdumped lo0 on such machine and that's what I got: 20:48:42.738508 10.0.1.2.1064 > 10.0.1.2.53: 4817+ PTR? 2.1.0.10.in-addr.arpa. (39) 20:48:42.738729 10.0.1.2.1065 > 10.0.1.2.53: 4817+ PTR? 2.1.0.10.in-addr.arpa. (39) 20:48:42.738833 10.0.1.2.1066 > 10.0.1.2.53: 4817+ PTR? 2.1.0.10.in-addr.arpa. (39) 20:48:42.738930 10.0.1.2.1067 > 10.0.1.2.53: 4817+ PTR? 2.1.0.10.in-addr.arpa. (39) Well, well. [21:05] mizantrop:~(8)# cat /etc/resolv.conf nameserver 10.0.1.10 nameserver 10.0.1.11 But.. of course. It doesn't happen when I turn off the UsePrivilegeSeparation. chroot()ed unprivileged process does not have access to /etc/resolv.conf, so it tries to ask on local interface.. and waits for a timeout. >How-To-Repeat: sysctl net.inet.udp.blackhole=1 Configure sshd to use privilege separation. Set nameservers for this machine. Kill named or any DNS cache daemon, if needed. Launch sshd. And then try to ssh to this host. tcpdump on lo0 for proof that sshd sends RevDNS queries to localhost. >Fix: A simple solution would be just creating etc/resolv.conf in the chroot()ed environment or to force sshd not to check RevDNS when in privilege separation mode. Or maybe we should pass the value of /etc/resolv.conf to the unprivileged process before chroot(), and then force it to use these rather then default /etc/resolv.conf? >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message