cannot ssh into a box with DHCP assigned IP address

Anton Shterenlikht mexas at bristol.ac.uk
Wed Feb 20 10:57:02 UTC 2013 

	From ml at my.gd Wed Feb 20 10:28:54 2013

	Ok I think you've got a DNS resolution problem here,
	 so when you try to establish the connection,
	 SSHD tries to resolve your client's hostname.

	It fails and times out, however your ssh login gracetime is already over.

	You have several options here:

	1/ increase the login grace time in sshd_config

ok:
LoginGraceTime 3m

	2/ set usedns no (or do both, btw)

ok:
UseDNS no

	3/ fix DNS resolution ;)

Well, I'm waiting for the IT support guys
to do this, but they are very slow.

	I would definitely recommend
	 turning off hostname resolution for sshd,
	 it is of marginal value (to me at least).

Following the sshd man page, I'm also trying this:

*quote*
  -u0 may also be used to prevent sshd from making
  DNS requests unless the authentication mechanism or configuration
  requires it.  Authentication mechanisms that may require DNS
  include RhostsRSAAuthentication, HostbasedAuthentication, and
  using a from="pattern-list" option in a key file.  Configuration
  options that require DNS include using a USER at HOST pattern in
  AllowUsers or DenyUsers.
*end quote*

I set in /etc/ssh/sshd_config:

RhostsRSAAuthentication no
HostbasedAuthentication no
AllowUsers mexas

and I don't have DenyUsers at all.

I then restart sshd as
/usr/sbin/sshd -u0

However, I still see the same (I think)
output from tcpdump and still get ssh timeout:

10:55:32.503085 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [P.], seq 535
20:53568, ack 64033, win 1040, options [nop,nop,TS val 169209828 ecr 2123714526]
, length 48
10:55:32.604376 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [.], ack 5356
8, win 1040, options [nop,nop,TS val 2123715301 ecr 169209828], length 0
10:55:32.668861 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [P.], seq 535
68:53616, ack 64033, win 1040, options [nop,nop,TS val 169209994 ecr 2123715301]
, length 48
10:55:32.671995 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 640
33:64161, ack 53616, win 1040, options [nop,nop,TS val 2123715368 ecr 169209994]
, length 128
10:55:32.672501 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 641
61:64209, ack 53616, win 1040, options [nop,nop,TS val 2123715368 ecr 169209994]
, length 48
10:55:32.672763 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack 6420
9, win 1040, options [nop,nop,TS val 169209998 ecr 2123715368], length 0
10:55:33.394762 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [P.], seq 536
16:53664, ack 64209, win 1040, options [nop,nop,TS val 169210720 ecr 2123715368]
, length 48
10:55:33.396877 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 642
09:64257, ack 53664, win 1040, options [nop,nop,TS val 2123716093 ecr 169210720]
, length 48
10:55:33.496782 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack 6425
7, win 1040, options [nop,nop,TS val 169210822 ecr 2123716093], length 0

Thanks

Anton

More information about the freebsd-questions mailing list