Re: Working out a OS X 10.4 Tiger ssh implementation issue, slow logins

• Previous message: caca: "Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"
• In reply to: caca: "Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"
• Next in thread: scott: "Re: Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"
• Reply: scott: "Re: Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 04 Jun 2005 23:08:38 -0400

> In my case I use keys to login, but even without them, the problem
> still takes upwards of 30 seconds to get to a password prompt.
>
> ssh -vvv user@machine.host.com
> Everything is pretty normal up to this debug line:
>
> debug3: Trying to reverse map address ip.add.re.ss.
>
> That's the point at which the stall happens,

Some background: the Apple version of OpenSSH is not just a compile or
port of the OpenSSH release; it has code added to it. In this case, it is
the ability to use Kerberos for host authentication, via various GSS key
exchange mechanisms (you can find the same code in Debian ssh-krb5). In
order to construct a ticket request for the SSH server, the client has to
find the canonical name of the server host; that's what's happening here
as it does a reverse lookup of the server's address. Unfortunately, this
can't be turned off, for two reasons. First, OpenSSH does not provide a
configuration option to set the list of key exchange mechanisms the client
will use (note that Tectia does provide this option). Second, the GSS key
exchange code unconditionally uses DNS:

--- [kexgssc.c] ----------------------------------------

kexgss_client(Kex *kex)
{
...

        if (ssh_gssapi_import_name(ctxt,get_canonical_hostname(1))) {
                fatal("Couldn't import hostname ");
        }
...
--------------------------------------------------------

The "1" there is the culprit; it's the "use DNS" flag. It would be
useful to have a UseDNS client-side flag as well as for the server, which
in this case would have this code simply try the user-supplied hostname
for the ticket request instead of going to the DNS. But, OpenSSH doesn't
have this option either.

There are other usages of DNS as well -- for example, by default the
client will try to find the Kerberos context for the server via the DNS
(realm name & KDC's). You can prevent that part with:

--- [/etc/krb5.conf] -----------------------------------

[libdefaults]

dns_fallback = false

--------------------------------------------------------

If you recompile with GSSAPI=0, it will remove all Kerberos support and
prevent this problem.

Now, I hasten to add that these are all hacks; the real problem here is
your DNS, not OpenSSH or Kerberos. Any query to the DNS should provide an
answer (positive or negative) reasonably quickly. Alas, the world is full
of idiots and nameservers are frequently woefully misconfigured. To know
what's going on, we'd have to see all of your tcpdump output.

> there also seems to be
> some delay as well at this point:
>
> debug1: Next authentication method: gssapi

This is the use of Kerberos for user authentication, rather than server.
That *is* configurable, e.g.:

--- [~/.ssh/config ] -----------------------------------

host *
  PreferredAuthentications publickey,password

--------------------------------------------------------

The default list includes gssapi(-with-mic).

> It is doing a lot of really brain dead stuff like:
> 100.1.168.192.in-addr.arpa

There is nothing "brain-dead" about this.

-- 
  Richard Silverman
  res@qoxp.net

• Previous message: caca: "Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"
• In reply to: caca: "Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"
• Next in thread: scott: "Re: Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"
• Reply: scott: "Re: Working out a OS X 10.4 Tiger ssh implementation issue, slow logins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]