Resolving error

Kevin DeGraaf kevin at kevindegraaf.net
Thu Dec 27 14:07:47 EST 2001


OpenSSH gurus:

Apologies if this has been covered already (or is a genuine FAQ).  I've
searched both Google and MARC extensively on this issue, and have come up
empty.

I use OpenSSH 3.0.2p1 (openssl-0.9.6c) on a group of Linux (Slackware 8.0,
kernel 2.4.13, glibc 2.2.3) machines that have this in /etc/hosts:

10.1.1.2  s1  s1.[domain].com
...
10.1.1.6  s5  s5.[domain].com

This is in /etc/host.conf:
  order hosts, bind

This is in /etc/nsswitch.conf:
  hosts:    files dns

This is in /etc/resolv.conf:
  domain [domain].com
  nameserver 127.0.0.1

If I ssh from one of these servers to another using IP addresses, the
connection takes place in milliseconds (they are 1 GHz, 1 GB RAM machines
with 100-base-TX switched Ethernet).  However, trying to ssh using a
hostname (e.g. "s1" or "s1.[domain].com") results in a five-second delay
before successful authentication takes place.

Running strace on the ssh command indicates that:

1. /etc/nsswitch.conf is read.
2. /etc/passwd, group, and services are read.
3. /etc/resolv.conf is read.
4. /etc/host.conf is read.
5. /etc/hosts is read.
6. Multiple DNS queries are made to my nameserver (127.0.0.1).
7. /etc/resolv.conf is read again.
8. ssh finally has the correct IP address and begins a key-auth
dialogue that works without error.

Every UNIX networking program I know of (e.g. telnet, ftp, ping) obeys
either host.conf or nsswitch.conf, which in my case both clearly state
that /etc/hosts should be consulted before a DNS lookup is performed.
But OpenSSH seems to ignore the host data it reads in step 5, consulting
my DNS servers instead.

(This is a problem because my local resolver, DJB's dnscache, follows the
delegation for s[1-5].[domain].com all the way to the authoritative
nameservers, which are s5 and s1; all the servers are NAT'ed behind a PIX,
rendering them inaccessable to each other via their external addresses.)

This delay is annoying, and wouldn't happen if OpenSSH read /etc/hosts and
used that data, as it should.

--
Kevin DeGraaf




More information about the openssh-unix-dev mailing list