From owner-freebsd-bugs  Tue Aug  8 14: 0: 7 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 1BAF537B748
	for <freebsd-bugs@FreeBSD.org>; Tue,  8 Aug 2000 14:00:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id OAA84172;
	Tue, 8 Aug 2000 14:00:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 79AFC37B540
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Aug 2000 13:51:51 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: (from robert@localhost)
	by fledge.watson.org (8.9.3/8.9.3) id QAA43313;
	Tue, 8 Aug 2000 16:51:50 -0400 (EDT)
	(envelope-from robert)
Message-Id: <200008082051.QAA43313@fledge.watson.org>
Date: Tue, 8 Aug 2000 16:51:50 -0400 (EDT)
From: rwatson@freebsd.org
Reply-To: rwatson@freebsd.org
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/20488: SSH timeout of 60 seconds is too low for many environments
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         20488
>Category:       bin
>Synopsis:       sshd default 60 second authentication timeout too low
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 08 14:00:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Robert Watson
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
>Environment:

4.1-STABLE
OpenSSH sshd
laggy network with very slow DNS reverse lookups

>Description:

On slow networks, the default 60 second timeout for authentication can be too
low to allow a connection to actually take place.  Given that a lot has to
happen in that 60 seconds, high latency or packet loss can prevent negotation
from reaching a useful point.  It is also the case that with a one-time
password scheme with a trusted keying device, additional time is required to
perform the authentication.

>How-To-Repeat:

DUMMYNET

>Fix:

Increase default timeout to 120 or more seconds.


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message