DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Ports and Packages

FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th April 2011
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Thanked 0 Times in 0 Posts
Default sshd delayed response on FBSD 8.1

I run the openssh daemon on my FBSD 8.1-release system, and ever since I got this one going I've noticed a very annoying delay in the time it takes sshd to respond to a login request.

For example, if I am logging in to my home system from work, I run
Code:
ssh mylogin@mydomain.com
to log in, and it may take up to 45 seconds or more before I get a prompt for a password. Response times are more than adequate once I am logged in, but the delay is rather irritating. The delay becomes even more aggravating when I am using scp to copy files around and have to wait it out for each separate transfer job.

I previously had a 6.2-release system running at my home, with the same networking hardware between it and the outside world, without this delay. Upload and download speeds are where I would expect for the connection I pay for at home. The delay is pretty constant with regards to both the time of day and the geographical distance between me and home when I am trying to log in.

Any ideas on how to reduce the delay? The system is not going to sleep; if I am already logged in from my workstation at work with something running, and then I log in again from the same workstation in another window, I get the same delay. I haven't seen anything in the sshd configuration file that seems to refer to this.
Reply With Quote
  #2   (View Single Post)  
Old 4th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

The server you are ssh'ing/logon to, is trying to do a double reverse name lookup of your workstation IP address. This however fails and that is causing the delay.

Easiest way is to add the IP address and the name of your workstation to the "/etc/hosts" file of the server.
Real pro's configure a local nameserver . Only the cowards set "UseDNS to "no" in the sshd.conf of the server
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 5th April 2011 at 12:35 AM. Reason: Reformulated/simplified
Reply With Quote
  #3   (View Single Post)  
Old 5th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

The following commented tcpdump output illustrates these name lookups

Legenda
Code:
192.168.222.20  : hercules.utp.xnet, the workstation
192.168.222.244 : vintrax.utp.xnet, the server
192.168.222.10  : parmenides.utp.xnet, the local nameserver for the
                  private utp.xnet domainp
A ssh TCP connection has been set up. hercules uses source port 15021, to connect to vinrtrax on port 22:

Code:
1:02:55.432719 192.168.222.20.15021 > 192.168.222.244.22:
 P 1102:1166(64) ack 1726 win 16384 <nop,nop,timestamp 519684114 2254674010> (DF)
vintrax now fires off a reverse name lookup (a PTR query) for the 192.168.222.20.
Note the reversal of the IP address and the addition of the "in-addr.arpa" domain.

Here like in the ssh connection, the source port is a randomly chosen port >1023 and the destination port is the standard service port , here DNS and thus port 53.

Code:
21:02:55.433758 192.168.222.244.19667 > 192.168.222.10.53:
 55256+ PTR? 20.222.168.192.in-addr.arpa. (45)
The answer of the local nameserver : "192.168.222.20 is hercules.utp.xnet"

Code:
21:02:55.434535 192.168.222.10.53 > 192.168.222.244.19667:
 55256 1/0/0 PTR hercules.utp.xnet. (76)
The server is still not satisfied. A little bit of paranoia, is a part of a healthy security awareness.
So it issues another lookup, but now a normal lookup, name to IP address.
In DNS terminology, it asks for the A record. :

Code:
21:02:55.434911 192.168.222.244.33933 > 192.168.222.10.53:
 64914+ A? hercules.utp.xnet. (35)
The answer of the local nameserver:

Code:
21:02:55.435436 192.168.222.10.53 > 192.168.222.244.33933:
 64914 1/0/0 A 192.168.222.20 (51)
And then the ssh session continues ....

Code:
21:02:55.437138 192.168.222.244.22 > 192.168.222.20.15021:
   P 1726:1806(80) ack 1166 win 33304 <nop,nop,timestamp 2254674010 519684114> (DF)
21:02:55.437382 192.168.222.20.15021 > 192.168.222.244.22:
   P 1166:1694(528) ack 1806 win 16384 <nop,nop,timestamp 519684114 2254674010> (DF)
The server is doing, what is named a double reverse name lookup
First is the lookup IP -> name, the second one, a name -> IP lookup.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 15th April 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,066
Thanked 198 Times in 156 Posts
Default

And to further explain, here is why sshd does this:

Code:
[/var/log/auth]# grep POSSIBLE /var/log/auth/auth.log | head
Apr 15 01:30:07 cthulhu sshd[74815]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 01:30:11 cthulhu sshd[74862]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 01:30:15 cthulhu sshd[74889]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 01:30:50 cthulhu sshd[74958]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 01:30:56 cthulhu sshd[75000]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 01:31:00 cthulhu sshd[75002]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 01:31:23 cthulhu sshd[75077]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 01:31:25 cthulhu sshd[75131]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 01:31:51 cthulhu sshd[75173]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 15 01:32:05 cthulhu sshd[75261]: Address 190.77.95.141 maps to 190-77-95-141.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #5   (View Single Post)  
Old 18th October 2011
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Thanked 0 Times in 0 Posts
Default

I know its been a long time since I brought this up, and I thank those who responded. At this point I sheepishly admit I was unable to solve the problem even with the advice provided, and now I am looking to solve it (beyond changing "UseDNS" to "no").

In the case of my workstation at work, for example, I added the IP address to /etc/hosts and I still have obnoxiously slow lag while the system fails to pull off the lookup. If I am logged in, and I run 'who' I get the IP address returned; though running 'w' returns the host name specified in /etc/hosts.

What am I forgetting to check?

I have also found that if I go from my FSBD system, to the same FSBD system (via the external IP address or the domain name I use for it), I get the same lag. It appears that my system is not able to successfully look up its own IP address (which presumably should work out to an address from my ISP).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Immense delayed write to file system (ZFS and UFS2), performance issues J65nko FreeBSD General 12 15th September 2010 11:46 PM
Can't Response Ping Request widhi OpenBSD General 5 24th March 2010 10:40 PM
FreeBSD FreeBSD 7.2-RELEASE EoL delayed to end of June 2010 J65nko News 0 11th March 2010 09:46 PM
Delayed command? wubrgamer Other BSD and UNIX/UNIX-like 9 22nd April 2009 03:15 AM
sshd and timeout Sunsawe FreeBSD Security 6 29th May 2008 12:54 PM


All times are GMT. The time now is 10:14 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick