[Bug 1667] sshd slow connect with 'UseDNS yes'
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Oct 28 08:32:56 EST 2009
https://bugzilla.mindrot.org/show_bug.cgi?id=1667
--- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2009-10-28 08:32:54 EST ---
(From update of attachment 1711)
>debug1: do_pam_account: called
>1 2 3 4
>debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
OK, we'll use this example since it's probably the simplest. The code
that does this is in auth-pam.c:do_pam_account():
debug("%s: called", __func__);
if (sshpam_account_status != -1)
return (sshpam_account_status);
sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
pam_strerror(sshpam_handle, sshpam_err));
where previously the hostname was set via PAM_RHOST:
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
So in this case the blocking is happening inside either the PAM library
or a PAM module. You can confirm this by repeating the same test but
UsePam=no. There is one other delay marked in the output where the pty
is allocated. I suspect you will still see the delay at the pty
allocation but overall it will be much faster (because sshd caches the
result of the name lookup).
I don't know why the lookups inside PAM take so long though. Can you
capture the name lookups? either strace/truss "/path/to/sshd -D" and
pick the requests out of the output or run "tcpdump -s 1500 port 53"
while connecting. I suspect you'll find that it's either IPv6 AAAA
lookups or their inverse.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list