From owner-freebsd-security Fri Jan 31 17: 6: 9 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB01237B401 for ; Fri, 31 Jan 2003 17:06:06 -0800 (PST) Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA74543F3F for ; Fri, 31 Jan 2003 17:06:00 -0800 (PST) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com ([10.4.100.63]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id h1115rT84102; Fri, 31 Jan 2003 17:05:54 -0800 (PST) (envelope-from fbsd-secure@ursine.com) Message-ID: <3E3B1D71.21CFBD42@ursine.com> Date: Fri, 31 Jan 2003 17:05:53 -0800 From: Michael Bryan X-Mailer: Mozilla 4.78 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Ralph Dratman Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ralph Dratman wrote: > > Suddenly I cannot SSH to one of my FreeBSD servers. This is true from > every SSH client on every computer I've tried. My sshd setup had > worked fine for several years until just yesterday. I am now getting > "Timeout before authentication" errors in the system log. I can SSH > normally to other hosts. > > On this host I am running FreeBSD 4.3. There was a bug in older versions of OpenSSH, with symptoms exactly matching what you're seeing. For every connection, sshd would do a DNS lookup of the special krb5-realm domain. (It did this even if Kerberos support was disabled.) However, it would start out by looking for krb5-realm.yoursubdomain.yourdomain.com, which is fine. Then it would start stepping up the tree, checking for krb5-realm.yourdomain.com, then krb5-realm.com. If the nameservers setup to host krb5-realm.com stop responding to requests, then these DNS lookups take a long time, waiting to eventually timeout. The effect on a setup such as yours would be that things would -normally- work ok. But when those name servers for krb5-realm.com went out, long connection delays would be seen to the buggy SSH servers. I'm not sure when the problem was fixed. (I thought maybe FreeBSD 4.3, but you're running 4.3, so maybe it was in 4.4?) But recent versions of FreeBSD have a better-behaved version of OpenSSH. Also, general nameserver problems in your own network can cause this. Basically, anything that causes DNS lookups to timeout (as opposed to return a success or failure code) will make the SSH login process take much longer. If you can trace the DNS packets generated by sshd, you should be able to see exactly what's causing the problem. (One way to trace them would be to point the ssh system to a BIND DNS server, and run "ndc trace on" to start logging all requests/responses on the dns server.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message