Date: Fri, 31 Jan 2003 19:51:29 -0600 From: Pete Ehlke <pde@rfc822.net> To: Michael Bryan <fbsd-secure@ursine.com> Cc: Ralph Dratman <ralph@maxsoft.com>, freebsd-security@FreeBSD.ORG Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate Message-ID: <20030201015129.GA27949@rfc822.net> In-Reply-To: <3E3B1D71.21CFBD42@ursine.com> References: <v04210102ba60a5a98b9c@[192.168.1.27]> <3E3B1D71.21CFBD42@ursine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 31, 2003 at 05:05:53PM -0800, Michael Bryan wrote: > > > > > Ralph Dratman wrote: > > > > Suddenly I cannot SSH to one of my FreeBSD servers. This is true from > > every SSH client on every computer I've tried. My sshd setup had > > worked fine for several years until just yesterday. I am now getting > > "Timeout before authentication" errors in the system log. I can SSH > > normally to other hosts. > > > > On this host I am running FreeBSD 4.3. > > There was a bug in older versions of OpenSSH, with symptoms exactly > matching what you're seeing. For every connection, sshd would do > a DNS lookup of the special krb5-realm domain. (It did this even > if Kerberos support was disabled.) However, it would start out by > looking for krb5-realm.yoursubdomain.yourdomain.com, which is fine. > Then it would start stepping up the tree, checking for krb5-realm.yourdomain.com, > then krb5-realm.com. If the nameservers setup to host krb5-realm.com > stop responding to requests, then these DNS lookups take a long time, > waiting to eventually timeout. > Right. And the DNS for krb5-realm.com is, to put it politely, a mess. ISTR seeing something about changes to krb5-realm.com on nanog a couple of weeks ago. You may want to check the archives. Or, y'know. Upgrade openssh ;) -P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030201015129.GA27949>