bin/62139: User cannot login through telnet or ssh because of
reverse resolving delay
Rostislav Krasny
rosti_bsd at yahoo.com
Thu Sep 16 14:00:44 PDT 2004
The following reply was made to PR bin/62139; it has been noted by GNATS.
From: Rostislav Krasny <rosti_bsd at yahoo.com>
To: Yar Tikhiy <yar at FreeBSD.org>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: bin/62139: User cannot login through telnet or ssh because of reverse resolving delay
Date: Thu, 16 Sep 2004 13:51:56 -0700 (PDT)
--- Yar Tikhiy <yar at FreeBSD.org> wrote:
> On Wed, Sep 01, 2004 at 09:25:25AM -0700, Rostislav Krasny wrote:
> >
> > > To my mind, this is a host configuration issue. First, you
> > > may list multiple nameservers in your resolv.conf so that
> > > should one of them fail, the others will still respond to
> > > queries. Second, the resolver timeout and attempts may be
> > > set to a lower value (see resolver(5) for details) if your
> > > network can suffer from all its nameservers being unavailable.
> > > Please also note that some ways of ssh authentication may
> > > rely on a name service being available.
> >
> > I think that resolver(3) is buggy. Consider the tests described
> > below, that I've done.
> >
> > > uname -a
> > FreeBSD localhost 5.3-BETA2 FreeBSD 5.3-BETA2 #1: Sat Aug 28
> > 21:29:15 UTC 2004
> > root at mack.dcsl.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
> > i386
> >
> >
> > I changed the /etc/resolv.conf file, so it had only one following
> > line:
> >
> > nameserver 21.21.21.21
> >
> > Then I ran a 'date ; ping yahoo.com ; date' one line command four
> > times. This way I measured the time between 'ping yahoo.com'
> > started and failed. The results are:
> >
> > N mm:ss
> > 1 2:30
> > 2 2:31
> > 3 2:31
> > 4 2:30
> >
> > Why it taked so long time with default "options" settings?
>
> It's because the resolver library tries hard to perform its job
> reliably. You may like to read RFC 1536 for the discussion of the
> algorithm used. Also note that resolver will try to add the local
> domain name as found in the hostname if it is unable to resolve a
> name as-is.
This box have no domain name. Its hostname is 'localhost'. Also no
domain and no search list are defined in the /etc/resolv.conf file.
> > According to man sshd_config:
> >
> > LoginGraceTime
> > The server disconnects after this time if the user has not
> > suc-
> > cessfully logged in. If the value is 0, there is no time
> > limit.
> > The default is 120 seconds.
> >
> > So this is not surprising why my attempts connecting to this box
> > from another one by ssh failed with following sshd error:
> >
> > Aug 31 00:18:06 localhost sshd[1443]: fatal: Timeout before
> > authentication for 192.168.1.1
> >
> > Workaround of this problem was seting 'UseDNS no' in
> > /etc/ssh/sshd_config file. But I still don't know what the
> > workaround of the same problem with ftpd (enabled
> > in /etc/inetd.conf).
> >
> >
> > Then I ran 'tcpdump -nvi ed1' in a second pseudo-terminal and
> > counted a number of "A? yahoo.com" requests during a run of the
> > above 'ping yahoo.com'. With default "options" settings my box is
> > sending 8 "A? yahoo.com" requests to one DNS before 'ping
yahoo.com'
> > is failed. Why there are so many requests to one non-working DNS?
>
> Since you never know in advance how many times the program you are
> trying, e.g., ping, calls the resolver functions.
Did you mean functions like gethostbyname(3)? I've wrote a short test
program and used it instead of ping:
======= test program ========
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
int main(void)
{
const char *name="yahoo.com";
struct hostent *ps_hostent;
char **st;
ps_hostent=gethostbyname(name);
if (ps_hostent!=NULL) {
printf("%s\n", ps_hostent->h_name);
for (st=ps_hostent->h_addr_list; *st!=NULL; st++) {
printf("%s\n",
inet_ntoa(*(struct in_addr *)*st));
}
if (st==ps_hostent->h_addr_list)
fputs("It have no address.\n", stderr);
} else {
herror(name);
}
return 0;
}
======= test program ========
When I repeated the tests with this program I've got the same number of
"A? yahoo.com." requests to one DNS and the same periods of time until
the program was running.
> > Finally I add a custom "options" settings line in /etc/resolv.conf
> > file:
> >
> > options attempts:1
> >
> > With this option my box is sending 2 "A? yahoo.com" requests. With
> > 'attempts:2' it sends 4 requests, with 'attempts:3' it sends 6
> > requests, with 'attempts:5' it sends 10 requests... and so on. Why
> > the numbers of actual requests are double of the defined numbers?
>
> It means that ping seems to call the resolver twice each time.
In my test program a gethostbyname(3) function is called only once.
> > What is the default value of the 'attempts' option? The resolver(5)
> > man page states that the default value is defined by RES_DFLRETRY
in
> > <resolv.h>. But there is no RES_DFLRETRY in /usr/include/resolv.h
> > file. In other systems the RES_DFLRETRY is defined as 2.
>
> RES_MAXRETRY. 5. The man page seems to give a wrong name there.
> I'll fix it later.
Thank you for the fixing. I've seen your commits:
http://docs.freebsd.org/cgi/mid.cgi?200409091739.i89HdlwM019548
http://docs.freebsd.org/cgi/mid.cgi?200409091742.i89HgIan019681
http://docs.freebsd.org/cgi/mid.cgi?200409091719.i89HJRGu019026
According to them the default value of the 'attempts' option was and
still is 4 and RES_DFLRETRY is the right name. But most of UNIX and
UNIX-like operating systems that I checked have RES_DFLRETRY defined as
2, not as 4. They are: Solaris, AIX, Linux and even NetBSD. Only
OpenBSD have it hardcoded as 4.
> > IMHO the default value of the 'attempts' option should be 2 and it
> > must not be doubled. With the default value of 'timeout' option
> > (5 seconds) it should take no more than 10 seconds to decide that
> > one DNS is unreachable or not.
>
> You are misinterpreting the `timeout' option. See RFC 1536 or the
> code. And `attempts' is not doubled, that is a consequence of the
> application behaviour.
Maybe I was wrong with the `timeout' option but I think I was right
with the `attempts' one.
> I feel that losing all DNS servers is just slightly better
> than losing the network connection at all. Therefore console
> access to such machine is the answer. Trying to overcome that
> in software is too risky, at least for the default configuration.
> I'd rather close this PR.
The point is that the default configuration of resolver(5) in FreeBSD
is different from most of other Unices and even NetBSD. Why it is
different? Also the double number of DNS requests is not clear for me yet.
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
More information about the freebsd-bugs
mailing list