it takes a long long long time to time-out a login attempt

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Mar 13 05:17:13 PST 2004 

On Sat, Mar 13, 2004 at 04:21:58AM -0800, Sameer wrote:
> I'm trying to ssh into my FreeBSD (5.2.1-release sparc version) box from my
> desktop, however, it'll take a few seconds for the "login as" prompt to
> appear.  I enter my the user name and hit enter. the login attempt then sits
> there for about 90 seconds w/o asking for the password, then the connection
> times out.
> 
>  
> 
> Any ideas what's causing this?  Do I need to put the workstation's
> information into the hosts file or something?
> 
>  
> 
> The funny thing is that when I ssh from another server that's on the same
> VLAN as the FreeBSD box (I should mention that the workstation is on a
> different VLAN) the login process happens immediately.

Sounds like classic DNS timeout problems.  When you ssh into a box, it
will look up the IP number you're coming from in the DNS, and then
lookup the hostname it derives from that to make sure that the IP
number appears as listed for that address.  This is a measure to
prevent people spoofing some other hostname and so getting increased
access.

The problem is not so much that there isn't a record for the machine
your coming from accessible to the target machine, but that the
attempt to lookup the address/IP numbers never returns any (even an
error) response.  That forces the resolver on the target machine to
wait for the full DNS timeout period (30s per server), which feels a
lot longer than it sounds.

If your target machine is unable to access the Internet root servers
you'll see this sort of effect.  The answer is to generate your own
root zone on the servers on your intranet -- the 'DNS and BIND' book
by Ablitz and Liu will explain how to do that, and there are no doubt
many HOWTOs you can Google for.  Given this fake root zone, your
servers should return an NXDomain error within milliseconds for any
address it doesn't have any record of.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040313/fd7434b9/attachment.bin

More information about the freebsd-questions mailing list