[Bug 259712] New: establish ssh session takes 50 seconds
https://bugzilla.novell.com/show_bug.cgi?id=259712 Summary: establish ssh session takes 50 seconds Product: openSUSE 10.2 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: m.munnix@redcross.be QAContact: qa@suse.de connecting whith to the proxy server takes 50+ seconds. I have found 2 possible work arounds : 1. put "UseDNS no" in /etc/ssh/sshd_config 2. comment out the "search" directive in /etc/resolv.conf I submit the case as I suspect it could be a bug with sshd/resolver/pam and not only a configuration problem. This happens when connecting from inside the network aswell as from the internet. I see 5 times a 10 seconds delay after querying our dns server. This seems to be a timeout but I could not trace its source with the highest debug setting in sshd. I'll attach the logs from sshd and dns server. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 ------- Comment #1 from m.munnix@redcross.be 2007-04-01 09:18 MST ------- Created an attachment (id=127999) --> (https://bugzilla.novell.com/attachment.cgi?id=127999&action=view) sshd logged with debug3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 ------- Comment #2 from m.munnix@redcross.be 2007-04-01 09:19 MST ------- Created an attachment (id=128000) --> (https://bugzilla.novell.com/attachment.cgi?id=128000&action=view) querries on dns server -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 ------- Comment #3 from m.munnix@redcross.be 2007-04-01 09:20 MST ------- Created an attachment (id=128001) --> (https://bugzilla.novell.com/attachment.cgi?id=128001&action=view) /etc/ssh/sshd_config -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 ------- Comment #4 from m.munnix@redcross.be 2007-04-01 09:20 MST ------- Created an attachment (id=128002) --> (https://bugzilla.novell.com/attachment.cgi?id=128002&action=view) /etc/resolv.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 judas_iscariote@shorewall.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |judas_iscariote@shorewall.net AssignedTo|bnc-team- |anicka@novell.com |screening@forge.provo.novell| |.com | ------- Comment #5 from judas_iscariote@shorewall.net 2007-04-01 16:11 MST ------- (In reply to comment #0)
connecting whith to the proxy server takes 50+ seconds. I have found 2 possible work arounds : 1. put "UseDNS no" in /etc/ssh/sshd_config
Correct, not a bug, but a problem in your network, if it takes too much time, then you have a problem in your DNS server, problem that has nothing to do with openssh. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |m.munnix@redcross.be ------- Comment #6 from anicka@novell.com 2007-04-02 05:34 MST ------- I agree with Cristian that it is some problem in your network. I cannot say whether you encountered bug in DNS or just a misconfiguration. I even do not think that it can be determined from the given input. Looking at the ssh debug output I think that openssh works as expected. It would be good to know whether you will have the same problem with other programs also. Does for example ftp client work for you or it suffers from the same problem? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 m.munnix@redcross.be changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|m.munnix@redcross.be | ------- Comment #7 from m.munnix@redcross.be 2007-04-02 08:36 MST ------- It seems to be related to ssh as sftp induces a delay of 40 seconds counting from enter after password entry (4*10 seconds) compared to the 50 seconds for the interactive ssh session. But ftp (vsftpd server) connects immediately (no delay at all). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 ------- Comment #8 from m.munnix@redcross.be 2007-04-03 03:29 MST ------- I investigated further with an strace on sshd. After the dns queries to our server 10.1.11.3, there is a multicast on address 224.0.0.251 which times out after 5 seconds probably searching for 163-67-87.adsl-dyn.isp.belgacom.be.crb-sfs.local if I interpret this correctly. The man page on resolv.conf says about ndots:n sets a threshold for the number of dots which must appear in a name given to res_query()(see resolver(3)) before an initial absolute query will be made. The default for n is ``1'', meaning that if there are any dots in a name, the name will be tried first as an absolute name before any search list elements are appended to it. As there are 4 dots in 163-67-87.adsl-dyn.isp.belgacom.be, why does sshd try to use the search list ? Perhaps it does not use the resolver library correctly ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 ------- Comment #9 from m.munnix@redcross.be 2007-04-03 03:30 MST ------- Created an attachment (id=128430) --> (https://bugzilla.novell.com/attachment.cgi?id=128430&action=view) ssh.trace1 is a portion of strace log on sshd -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=259712 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |INVALID ------- Comment #10 from anicka@novell.com 2007-04-04 10:46 MST ------- The strace is an answer to your problem, sshd is not to blame in this case. You have two possible fixes I am aware of, one of them is to configure sshd not to use IPv6, the other is to disable multicast DNS. And what actually happens in your strace... sshd asks for IPv6 address first (default behavior). It tries absolute name first (exactly as you describe), unfortunately gets weird answer (with authoritative name server only). So it tries to add suffixes... and it goes still the same. Then it tries multicast and waits till the timeout (this is the slowest thing). And then, finally (it should be somewhere in deleted strace lines) asks for IPv4 address and gets answer. When you strike similar problem next time, it will help to add raw packet data from tcpdump, decoding them from strace is a bit time consuming ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com