SSH login takes very long time...sometimes

[Yar Tikhiy]

On Sat, Feb 25, 2006 at 02:42:46AM +0200, Rostislav Krasny wrote:
> On Fri, 24 Feb 2006 20:40:07 +0300
> Yar Tikhiy <yar at comp.chem.msu.su> wrote:
> 
> > To Rostislav: Could you do now, with the resolver fixes applied,
> > the following experiment: find how many dead nameservers in resolv.conf
> > it takes for sshd to start timing out a connection to it?  There
> > is still your PR open on this issue, so we should see whether
> > the default for LoginGraceTime needs a change, too.  Thanks!
> 
> The maximum number of name servers those the resolver will work with is
> MAXNS, which currently is 3. With three unreachable name servers in
> resolv.conf I successfully connected from other, not patched, FreeBSD
> 6.1-PRERELEASE by ssh without touching LoginGraceTime. I've got the
> password prompt after about 48.5 seconds, according to a stop watch in
> my cell phone :-)
> 
> I also tested telnet connection and it worked properly in that
> situation.

Sounds good!  Thanks!

> However I was unable to connect by ftp, even with only one unreachable
> name server in resolv.conf. I got following error:
> 
> 421 Service not available, remote server timed out. Connection closed
> 
> I've found the problem in both: ftpd(8) and ftp(1). In the ftpd(8) a
> getaddrinfo() is called in two places with hints.ai_socktype == 0 and
> hints.ai_family == PF_UNSPEC. In the ftp(1) a command reply timeout is
> only 60 seconds. Those things are what I've changed to fix the problem.
> Two diffs are attached to this email. The ftpd.c.diff extends -4 and -6
> ftpd options. So if this patch is good, the ftpd(8) manual page and the
> default /etc/inetd.conf should also be changed appropriately.

Could you explain please how your patch would affect ftpd(8) semantics
visible to the user?

> Although I changed two getaddrinfo() calls in ftpd.c, only first of
> them is really called on default FreeBSD configuration,
> when /etc/ftphosts isn't existing yet. So there might be a need of
> additional increase of the command reply timeout in ftp.c. Or better if
> this timeout could be configurable by some new ftp(1) option, with 120
> seconds by default.

> --- libexec/ftpd/ftpd.c.orig	Wed Feb  8 18:54:05 2006
> +++ libexec/ftpd/ftpd.c	Sat Feb 25 00:30:26 2006
> @@ -239,7 +239,7 @@
>  	}
>  
>  #ifdef VIRTUAL_HOSTING
> -static void	 inithosts(void);
> +static void	 inithosts(int);
>  static void	 selecthost(union sockunion *);
>  #endif
>  static void	 ack(char *);
> @@ -424,7 +424,7 @@
>  	}
>  
>  #ifdef VIRTUAL_HOSTING
> -	inithosts();
> +	inithosts(family);
>  #endif
>  
>  	if (daemon_mode) {
> @@ -663,7 +663,7 @@
>   */
>  
>  static void
> -inithosts(void)
> +inithosts(int family)
>  {
>  	int insert;
>  	size_t len;
> @@ -689,7 +689,8 @@
>  
>  	memset(&hints, 0, sizeof(hints));
>  	hints.ai_flags = AI_CANONNAME;
> -	hints.ai_family = AF_UNSPEC;
> +	hints.ai_family = family;
> +	hints.ai_socktype = SOCK_STREAM;
>  	if (getaddrinfo(hrp->hostname, NULL, &hints, &res) == 0)
>  		hrp->hostinfo = res;
>  	hrp->statfile = _PATH_FTPDSTATFILE;
> @@ -759,9 +760,10 @@
>  						/* NOTREACHED */
>  					}
>  
> -			hints.ai_flags = 0;
> -			hints.ai_family = AF_UNSPEC;
> +			/* If no flag, assign hints.ai_flags to zero! */

Sorry, but I don't understand the purpose of this comment here.

>  			hints.ai_flags = AI_PASSIVE;
> +			hints.ai_family = family;
> +			hints.ai_socktype = SOCK_STREAM;
>  			if (getaddrinfo(vhost, NULL, &hints, &res) != 0)
>  				goto nextline;
>  			for (ai = res; ai != NULL && ai->ai_addr != NULL;

-- 
Yar