Working out a OS X 10.4 Tiger ssh implementation issue, slow logins

From: caca (newgeo_at_gmail.com)
Date: 06/05/05

  • Next message: Richard E. Silverman: "Re: Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"
    Date: 4 Jun 2005 18:43:12 -0700
    
    

    This is making the rounds, and I would like to work it out and see what
    potential solutions there are out there. I just updated to Max OS X
    10.4:
    ssh -V
    OpenSSH_3.8.1p1, OpenSSL 0.9.7b 10 Apr 2003

    There are scattered reports, and various solutions to an issue where
    ssh logins take in excess of 30 seconds to instantiate a connection to
    a remote host. There are various workarounds, but there is no
    consensus.

    What I know about the issue so far is that it is somewhat limited in
    the scope to which is occurs. When it does occur, it seems to be in
    routed environments.

    In my case I use keys to login, but even without them, the problem
    still takes upwards of 30 seconds to get to a password prompt.

    ssh -vvv user@machine.host.com
    Everything is pretty normal up to this debug line:

    debug3: Trying to reverse map address ip.add.re.ss.

    That's the point at which the stall happens, there also seems to be
    some delay as well at this point:

    debug1: Next authentication method: gssapi

    My connection is me sitting on a comcast line, with a linksys router
    in-between me and the internet. I am allowing comcast to send me DHCP
    DNS servers.

    If I change to my own recursive resolver, the problem does go away.
    However, this was not needed in 10.2 or 10.3 OS X. So in some ways, it
    does seem to be DNS related, but I am not sure just exactly where.

    I am just barely able to consider myself an admin :-) so bear with me,
    I start up a ssh connection and let tcpdump take a look at what it
    going on. The entire ssh transaction made a total of 139 lines in
    tcpdump, almost all of them being DNS requests. It is doing a lot of
    really brain dead stuff like:
    100.1.168.192.in-addr.arpa
    There are tons of NXDOMAIN for many of the comcast NS's
    I see:
    ns5.attbi.com.domain: 15486+ PTR? 68.227.148.216.in-addr.arpa
    And I have no idea why it looks that up, its not the inverse of the
    remote host I am trying to get at.

    Basically, the resolver is running through:
    Ns[1-5].attbi.com.domain and that just takes time to talk to those all
    five.

    The amount of times it tries to reverse map my lan address
    192.168.1.xxx is just weird as well.

    I don't want to use my own recusrive resolver, as I use the comcast
    line as a good way to test DNS propagation and such, not to mention,
    with this such a hot topic on the Apple message boards, there needs to
    be a solution, not everyone is running DNS of their own. My DNS is
    pretty burdened with DNSBL lookups anyway.

    Some people have found success with recompiling openSSH, others have
    made entries into /etc/hosts, and some have had no success with either.

    Nothing about my network has changed, just the OS, so I am wondering
    what Apple did to ssh in Tiger, or is 3.8.1p1 just known problematic?

    Could this at all be related to the ipv6 issues OS X has, and as far as
    I know, still has, as a bug somewhere in the BSD kernel?

    If building new fixes this, what exactly does that entail, is it just
    one binary that could be put out for the benefit of others?

    If there are any tests you need from me, I am happy to work on them, I
    would love to get back to being able to ssh in while on the phone and
    not have the customers wait 45 seconds for me to figrue something out.

    -- 
    Scott
    

  • Next message: Richard E. Silverman: "Re: Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"

    Relevant Pages

    • Working out a OS X 10.4 Tiger ssh implementation issue, slow logins
      ... and various solutions to an issue where ssh ... If I change to my own recursive resolver, ... seem to be DNS related, but I am not sure just exactly where. ... There are tons of NXDOMAIN for many of the comcast NS's ...
      (SSH)
    • Re: Connecting to Linux machine remotely
      ... The way to connect to a machine from a remote location is via ssh. ... want to connect from which queries the dns server of my ISP every 5 min ... ]> need you can forward tcp ports through ssh. ...
      (comp.os.linux.networking)
    • RE: SSH with a central host list?
      ... SSH with a central host list? ... DNS name and/or IP address in a list. ... added or removed then each member of the ... I have been asked to see if there is a secure shell client, ...
      (SSH)
    • Re: openssh concerns
      ... in to ssh. ... No protection is afforded against DNS poisoning, ... Hosts with no reverse DNS ... big service providers like google and hotmail. ...
      (FreeBSD-Security)
    • Re: DNS cache poisoning - Wake up everyone!
      ... of whichever DNS resolver your web broswer is configured to use. ... dns-oarc.net name servers saw the lookups originating from. ... will not be vulnerable to this particular type of attack. ...
      (uk.comp.sys.mac)