From owner-freebsd-security  Fri Jan 31 17:50:52 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0BA7637B401
	for <freebsd-security@FreeBSD.ORG>; Fri, 31 Jan 2003 17:50:50 -0800 (PST)
Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7978143F75
	for <freebsd-security@FreeBSD.ORG>; Fri, 31 Jan 2003 17:50:49 -0800 (PST)
	(envelope-from pde@bastet.rfc822.net)
Received: by bastet.rfc822.net (Postfix, from userid 1001)
	id 9AA409F14B; Fri, 31 Jan 2003 19:51:29 -0600 (CST)
Date: Fri, 31 Jan 2003 19:51:29 -0600
From: Pete Ehlke <pde@rfc822.net>
To: Michael Bryan <fbsd-secure@ursine.com>
Cc: Ralph Dratman <ralph@maxsoft.com>, freebsd-security@FreeBSD.ORG
Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate
Message-ID: <20030201015129.GA27949@rfc822.net>
References: <v04210102ba60a5a98b9c@[192.168.1.27]> <3E3B1D71.21CFBD42@ursine.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3E3B1D71.21CFBD42@ursine.com>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, Jan 31, 2003 at 05:05:53PM -0800, Michael Bryan wrote:
> 
> 
> 
> 
> Ralph Dratman wrote:
> > 
> > Suddenly I cannot SSH to one of my FreeBSD servers. This is true from
> > every SSH client on every computer I've tried. My sshd setup had
> > worked fine for several years until just yesterday. I am now getting
> > "Timeout before authentication" errors in the system log. I can SSH
> > normally to other hosts.
> > 
> > On this host I am running FreeBSD 4.3.
> 
> There was a bug in older versions of OpenSSH, with symptoms exactly
> matching what you're seeing.  For every connection, sshd would do
> a DNS lookup of the special krb5-realm domain.  (It did this even
> if Kerberos support was disabled.)  However, it would start out by
> looking for krb5-realm.yoursubdomain.yourdomain.com, which is fine.
> Then it would start stepping up the tree, checking for krb5-realm.yourdomain.com,
> then krb5-realm.com.   If the nameservers setup to host krb5-realm.com
> stop responding to requests, then these DNS lookups take a long time,
> waiting to eventually timeout.
> 
Right. And the DNS for krb5-realm.com is, to put it politely, a mess.

ISTR seeing something about changes to krb5-realm.com on nanog a couple
of weeks ago. You may want to check the archives.

Or, y'know. Upgrade openssh ;)

-P.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message