[Bug 1667] sshd slow connect with 'UseDNS yes'

[bugzilla-daemon at bugzilla.mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=1667

--- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2009-10-28 08:32:54 EST ---
(From update of attachment 1711)
>debug1: do_pam_account: called
>1 2 3 4
>debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)

OK, we'll use this example since it's probably the simplest.  The code
that does this is in auth-pam.c:do_pam_account():

        debug("%s: called", __func__);
        if (sshpam_account_status != -1)
                return (sshpam_account_status);

        sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
        debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
            pam_strerror(sshpam_handle, sshpam_err));

where previously the hostname was set via PAM_RHOST:

        sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);

So in this case the blocking is happening inside either the PAM library
or a PAM module.  You can confirm this by repeating the same test but
UsePam=no.  There is one other delay marked in the output where the pty
is allocated.  I suspect you will still see the delay at the pty
allocation but overall it will be much faster (because sshd caches the
result of the name lookup).

I don't know why the lookups inside PAM take so long though.  Can you
capture the name lookups?  either strace/truss "/path/to/sshd -D" and
pick the requests out of the output or run "tcpdump -s 1500 port 53"
while connecting.  I suspect you'll find that it's either IPv6 AAAA
lookups or their inverse.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.