Date: Sat, 13 Mar 2004 13:17:05 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Sameer <ssheikh2000@hotmail.com> Cc: questions@freebsd.org Subject: Re: it takes a long long long time to time-out a login attempt Message-ID: <20040313131705.GE98015@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <BAY2-DAV64e0NdTET4Q0002791e@hotmail.com> References: <BAY2-DAV64e0NdTET4Q0002791e@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--lteA1dqeVaWQ9QQl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Mar 13, 2004 at 04:21:58AM -0800, Sameer wrote:
> I'm trying to ssh into my FreeBSD (5.2.1-release sparc version) box from =
my
> desktop, however, it'll take a few seconds for the "login as" prompt to
> appear. I enter my the user name and hit enter. the login attempt then s=
its
> there for about 90 seconds w/o asking for the password, then the connecti=
on
> times out.
>=20
> =20
>=20
> Any ideas what's causing this? Do I need to put the workstation's
> information into the hosts file or something?
>=20
> =20
>=20
> The funny thing is that when I ssh from another server that's on the same
> VLAN as the FreeBSD box (I should mention that the workstation is on a
> different VLAN) the login process happens immediately.
Sounds like classic DNS timeout problems. When you ssh into a box, it
will look up the IP number you're coming from in the DNS, and then
lookup the hostname it derives from that to make sure that the IP
number appears as listed for that address. This is a measure to
prevent people spoofing some other hostname and so getting increased
access.
The problem is not so much that there isn't a record for the machine
your coming from accessible to the target machine, but that the
attempt to lookup the address/IP numbers never returns any (even an
error) response. That forces the resolver on the target machine to
wait for the full DNS timeout period (30s per server), which feels a
lot longer than it sounds.
If your target machine is unable to access the Internet root servers
you'll see this sort of effect. The answer is to generate your own
root zone on the servers on your intranet -- the 'DNS and BIND' book
by Ablitz and Liu will explain how to do that, and there are no doubt
many HOWTOs you can Google for. Given this fake root zone, your
servers should return an NXDomain error within milliseconds for any
address it doesn't have any record of.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--lteA1dqeVaWQ9QQl
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAUwnRdtESqEQa7a0RArbXAJ9r2QqKtRjAaKsDNOBRqLdMaB1M4ACeNE+g
zZQpqArbDy/LmYbDe5if12c=
=d6ZC
-----END PGP SIGNATURE-----
--lteA1dqeVaWQ9QQl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040313131705.GE98015>