Date: Fri, 28 Jun 2002 19:06:55 -0600 (MDT) From: FreeBSD user <freebsd@XtremeDev.com> To: questions@freebsd.org Subject: OpenSSH 3.4p1_1 and reverse ip Message-ID: <20020628190401.E7121-200000@Amber.XtremeDev.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] After installing OpenSSH 3.4p1_1-portable (overwriting the one in base with -DOPENSSH_OVERWRITE_BASE) and restarting it, /usr/sbin/sshd keeps taking ~3-~5 minutes trying to reverse/resolve connecting client ips, even though I specifically told it not to in /etc/ssh/sshd_config. On top of which, the connecting ip IS reversable, I've checked with nslookup. Attached is my sshd_config. Another of note, I'm not using BIND, I'm using djbdns, both tinydns and dnscache on the box running the sshd. ~> nslookup 192.168.1.2 Server: ns.xtremedev.com Address: 192.168.1.1 Name: work.xtremedev.com Address: 192.168.1.2 ~> sudo /usr/sbin/sshd -d -d -d debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.2 port 2737 debug1: Client protocol version 2.0; client software version PuTTY-Release-0.52 debug1: no match: PuTTY-Release-0.52 Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug2: Network child is on pid 16762 debug3: privsep user:group 22:22 debug3: preauth child monitor started debug1: list_hostkey_types: ssh-rsa,ssh-dss debug3: mm_request_receive entering debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,rijndael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,rijndael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,none debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,none debug2: kex_parse_kexinit: none,zlib,none debug2: kex_parse_kexinit: none,zlib,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-sha1 debug1: kex: client->server aes256-cbc hmac-sha1 none debug2: mac_init: found hmac-sha1 debug1: kex: server->client aes256-cbc hmac-sha1 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug2: monitor_read: 0 used once, disabling now debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: mm_request_receive entering debug1: dh_gen_key: priv key bits set: 259/512 debug1: bits set: 994/2049 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1062/2049 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: mm_answer_sign: signature 0x80a4c00(527) debug3: mm_request_send entering: type 5 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: cipher_init: set keylen (16 -> 32) debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: newkeys: mode 0 debug1: cipher_init: set keylen (16 -> 32) debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Trying to reverse map address 192.168.1.2. Could not reverse map address 192.168.1.2. You can see from ^^^^^^ (when I connect from my internal machine at 192.168.1.2, work.xtremedev.com) it can't resolve this. I have all my firewall rules turned off (pass all) and name server running (djbdns). nslookup is able to resolve the ip. But for some reason sshd can't. I even explicitly told sshd not to reverse ip in /etc/ssh/sshd_config: VerifyReverseMapping no Can anyone see what I've missed? The client is able to connect successfully after the elapsed time, it's just that horrid wait that the user has to endure. If it wasn't for the exploit, I would immediately backcvs to use the one that came with base rather than using the 3.4p1_1 port. Thanks [-- Attachment #2 --] # $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH= # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 22 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 4096 # Logging #obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes X11Forwarding yes X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd yes PrintLastLog yes KeepAlive yes UseLogin no UsePrivilegeSeparation yes Compression yes # After 10 unauthenticated connections, refuse 30% of the new ones, and # refuse any more than 60 total. MaxStartups 10:30:60 # no default banner path #Banner /some/path VerifyReverseMapping no GatewayPorts yes # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020628190401.E7121-200000>