Date: Fri, 31 Jan 2003 17:05:53 -0800 From: Michael Bryan <fbsd-secure@ursine.com> To: Ralph Dratman <ralph@maxsoft.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate Message-ID: <3E3B1D71.21CFBD42@ursine.com> References: <v04210102ba60a5a98b9c@[192.168.1.27]>
next in thread | previous in thread | raw e-mail | index | archive | help
Ralph Dratman wrote: > > Suddenly I cannot SSH to one of my FreeBSD servers. This is true from > every SSH client on every computer I've tried. My sshd setup had > worked fine for several years until just yesterday. I am now getting > "Timeout before authentication" errors in the system log. I can SSH > normally to other hosts. > > On this host I am running FreeBSD 4.3. There was a bug in older versions of OpenSSH, with symptoms exactly matching what you're seeing. For every connection, sshd would do a DNS lookup of the special krb5-realm domain. (It did this even if Kerberos support was disabled.) However, it would start out by looking for krb5-realm.yoursubdomain.yourdomain.com, which is fine. Then it would start stepping up the tree, checking for krb5-realm.yourdomain.com, then krb5-realm.com. If the nameservers setup to host krb5-realm.com stop responding to requests, then these DNS lookups take a long time, waiting to eventually timeout. The effect on a setup such as yours would be that things would -normally- work ok. But when those name servers for krb5-realm.com went out, long connection delays would be seen to the buggy SSH servers. I'm not sure when the problem was fixed. (I thought maybe FreeBSD 4.3, but you're running 4.3, so maybe it was in 4.4?) But recent versions of FreeBSD have a better-behaved version of OpenSSH. Also, general nameserver problems in your own network can cause this. Basically, anything that causes DNS lookups to timeout (as opposed to return a success or failure code) will make the SSH login process take much longer. If you can trace the DNS packets generated by sshd, you should be able to see exactly what's causing the problem. (One way to trace them would be to point the ssh system to a BIND DNS server, and run "ndc trace on" to start logging all requests/responses on the dns server.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E3B1D71.21CFBD42>