bin/62139: User cannot login through telnet or ssh because of
reverse resolving delay
rosti_bsd at yahoo.com
Wed Sep 1 09:25:26 PDT 2004
--- Yar Tikhiy <yar at FreeBSD.org> wrote:
> Synopsis: User cannot login through telnet or ssh because of reverse
> resolving delay
> State-Changed-From-To: open->feedback
> State-Changed-By: yar
> State-Changed-When: Mon Aug 30 13:19:01 GMT 2004
> To my mind, this is a host configuration issue. First, you
> may list multiple nameservers in your resolv.conf so that
> should one of them fail, the others will still respond to
> queries. Second, the resolver timeout and attempts may be
> set to a lower value (see resolver(5) for details) if your
> network can suffer from all its nameservers being unavailable.
> Please also note that some ways of ssh authentication may
> rely on a name service being available.
I think that resolver(3) is buggy. Consider the tests described below,
that I've done.
> uname -a
FreeBSD localhost 5.3-BETA2 FreeBSD 5.3-BETA2 #1: Sat Aug 28 21:29:15
UTC 2004 root at mack.dcsl.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
I changed the /etc/resolv.conf file, so it had only one following line:
Then I ran a 'date ; ping yahoo.com ; date' one line command four
times. This way I measured the time between 'ping yahoo.com' started
and failed. The results are:
Why it taked so long time with default "options" settings?
According to man sshd_config:
The server disconnects after this time if the user has not suc-
cessfully logged in. If the value is 0, there is no time
The default is 120 seconds.
So this is not surprising why my attempts connecting to this box from
another one by ssh failed with following sshd error:
Aug 31 00:18:06 localhost sshd: fatal: Timeout before
authentication for 192.168.1.1
Workaround of this problem was seting 'UseDNS no' in
/etc/ssh/sshd_config file. But I still don't know what the workaround
of the same problem with ftpd (enabled in /etc/inetd.conf).
Then I ran 'tcpdump -nvi ed1' in a second pseudo-terminal and counted a
number of "A? yahoo.com" requests during a run of the above 'ping
yahoo.com'. With default "options" settings my box is sending 8 "A?
yahoo.com" requests to one DNS before 'ping yahoo.com' is failed. Why
there are so many requests to one non-working DNS?
Finally I add a custom "options" settings line in /etc/resolv.conf
With this option my box is sending 2 "A? yahoo.com" requests. With
'attempts:2' it sends 4 requests, with 'attempts:3' it sends 6
requests, with 'attempts:5' it sends 10 requests... and so on. Why the
numbers of actual requests are double of the defined numbers?
What is the default value of the 'attempts' option? The resolver(5) man
page states that the default value is defined by RES_DFLRETRY in
<resolv.h>. But there is no RES_DFLRETRY in /usr/include/resolv.h file.
In other systems the RES_DFLRETRY is defined as 2.
IMHO the default value of the 'attempts' option should be 2 and it must
not be doubled. With the default value of 'timeout' option (5 seconds)
it should take no more than 10 seconds to decide that one DNS is
unreachable or not.
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
More information about the freebsd-bugs