From winfried@mizantrop.expro.pl  Mon Jul 22 12:39:28 2002
Return-Path: <winfried@mizantrop.expro.pl>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3ED0C37B400
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Jul 2002 12:39:28 -0700 (PDT)
Received: from mizantrop.expro.pl (int.expro.pl [217.96.124.111])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 356DD43E31
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Jul 2002 12:39:25 -0700 (PDT)
	(envelope-from winfried@mizantrop.expro.pl)
Received: (from winfried@localhost)
	by mizantrop.expro.pl (8.11.6/8.11.6) id g6MJcrG00471;
	Mon, 22 Jul 2002 21:38:53 +0200 (CEST)
	(envelope-from winfried)
Message-Id: <200207221938.g6MJcrG00471@mizantrop.expro.pl>
Date: Mon, 22 Jul 2002 21:38:53 +0200 (CEST)
From: Jan Srzednicki <winfried@expro.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: OpenSSH weird delays
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         40894
>Category:       bin
>Synopsis:       OpenSSH weird delays
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 22 12:40:04 PDT 2002
>Closed-Date:    Mon Feb 10 02:54:34 PST 2003
>Last-Modified:  Mon Feb 10 02:54:34 PST 2003
>Originator:     Jan Srzednicki
>Release:        FreeBSD 4.6.1-RELEASE i386
>Organization:
expro.pl
>Environment:
System: FreeBSD mizantrop 4.6.1-RELEASE FreeBSD i386


	
>Description:

I've noticed some strange behaviour of recent versions of OpenSSH sshd
daemon.  When I turn the UDP blackhole on (sysctl
net.inet.udp.blackhole=1) and try to ssh to a given machine, the
connection stops on:

(..)
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT

After some time (IE, after _some_ timeout) it continues to the
authentication stuff and everything works as it should. I find this
delay pretty iritating. It touched me that it only happens on machines
on which I don't have named running.. I tcpdumped lo0 on such machine
and that's what I got:

20:48:42.738508 10.0.1.2.1064 > 10.0.1.2.53:  4817+ PTR? 2.1.0.10.in-addr.arpa. (39)
20:48:42.738729 10.0.1.2.1065 > 10.0.1.2.53:  4817+ PTR? 2.1.0.10.in-addr.arpa. (39)
20:48:42.738833 10.0.1.2.1066 > 10.0.1.2.53:  4817+ PTR? 2.1.0.10.in-addr.arpa. (39)
20:48:42.738930 10.0.1.2.1067 > 10.0.1.2.53:  4817+ PTR? 2.1.0.10.in-addr.arpa. (39)

Well, well.

[21:05] mizantrop:~(8)# cat /etc/resolv.conf
nameserver 10.0.1.10
nameserver 10.0.1.11

But.. of course. It doesn't happen when I turn off the
UsePrivilegeSeparation. chroot()ed unprivileged process does not have
access to /etc/resolv.conf, so it tries to ask on local interface.. and
waits for a timeout. 
	
>How-To-Repeat:

sysctl net.inet.udp.blackhole=1
Configure sshd to use privilege separation.

Set nameservers for this machine. Kill named or any DNS cache daemon, if
needed. Launch sshd. And then try to ssh to this host. tcpdump on lo0
for proof that sshd sends RevDNS queries to localhost.
	
>Fix:

A simple solution would be just creating etc/resolv.conf in the
chroot()ed environment or to force sshd not to check RevDNS when in
privilege separation mode. Or maybe we should pass the value of
/etc/resolv.conf to the unprivileged process before chroot(), and then
force it to use these rather then default /etc/resolv.conf?
	


>Release-Note:
>Audit-Trail:

From: Peter Pentchev <roam@ringlet.net>
To: Jan Srzednicki <winfried@expro.pl>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/40894: OpenSSH weird delays
Date: Tue, 23 Jul 2002 11:02:36 +0300

 On Mon, Jul 22, 2002 at 09:38:53PM +0200, Jan Srzednicki wrote:
 > 
 > >Number:         40894
 > >Category:       bin
 > >Synopsis:       OpenSSH weird delays
 > >Originator:     Jan Srzednicki
 > >Release:        FreeBSD 4.6.1-RELEASE i386
 > >Description:
 > 
 > I've noticed some strange behaviour of recent versions of OpenSSH sshd
 > daemon.  When I turn the UDP blackhole on (sysctl
 > net.inet.udp.blackhole=1) and try to ssh to a given machine, the
 > connection stops on:
 [snip]
 > 
 > 20:48:42.738508 10.0.1.2.1064 > 10.0.1.2.53:  4817+ PTR? 2.1.0.10.in-addr.arpa. (39)
 > 20:48:42.738729 10.0.1.2.1065 > 10.0.1.2.53:  4817+ PTR? 2.1.0.10.in-addr.arpa. (39)
 > 20:48:42.738833 10.0.1.2.1066 > 10.0.1.2.53:  4817+ PTR? 2.1.0.10.in-addr.arpa. (39)
 > 20:48:42.738930 10.0.1.2.1067 > 10.0.1.2.53:  4817+ PTR? 2.1.0.10.in-addr.arpa. (39)
 > 
 > Well, well.
 > 
 > [21:05] mizantrop:~(8)# cat /etc/resolv.conf
 > nameserver 10.0.1.10
 > nameserver 10.0.1.11
 > 
 > But.. of course. It doesn't happen when I turn off the
 > UsePrivilegeSeparation. chroot()ed unprivileged process does not have
 > access to /etc/resolv.conf, so it tries to ask on local interface.. and
 > waits for a timeout. 
 
 How is this 'strange'? :)  You seem to have found the reason for the
 delays yourself.  From there, it is only a little step to the idea of
 copying your /etc/resolv.conf into the privilege separation's tree; that
 is, mkdir -p /var/empty/etc && cp -p /etc/resolv.conf /var/empty/etc/
 
 Does this help?
 
 G'luck,
 Peter
 
 -- 
 Peter Pentchev	roam@ringlet.net	roam@FreeBSD.org
 PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
 Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
 This sentence claims to be an Epimenides paradox, but it is lying.

From: Jan Srzednicki <winfried@expro.pl>
To: Peter Pentchev <roam@ringlet.net>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/40894: OpenSSH weird delays
Date: Fri, 26 Jul 2002 00:51:27 +0200 (CEST)

 On Tue, 23 Jul 2002, Peter Pentchev wrote:
 
 > > But.. of course. It doesn't happen when I turn off the
 > > UsePrivilegeSeparation. chroot()ed unprivileged process does not have
 > > access to /etc/resolv.conf, so it tries to ask on local interface.. and
 > > waits for a timeout. 
 > 
 > How is this 'strange'? :)
 
 OK, it was strange at first. Now it does not seem strange.
 
 > You seem to have found the reason for the
 > delays yourself.  From there, it is only a little step to the idea of
 > copying your /etc/resolv.conf into the privilege separation's tree; that
 > is, mkdir -p /var/empty/etc && cp -p /etc/resolv.conf /var/empty/etc/
 > 
 > Does this help?
 
 Yes.
 But it's rather tricky thing, so my suggestion is to turn IP resolving off
 whenever UsePrivilegeSeparation is on. Or maybe I should write to the
 OpenSSH developpers directly about that?
 
 -- 
 Jan 'Winfried' Srzednicki
 winfried@expro.pl
 
 

From: Jan Srzednicki <winfried@expro.pl>
To: Peter Pentchev <roam@ringlet.net>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/40894: OpenSSH weird delays
Date: Sun, 28 Jul 2002 17:25:58 +0200 (CEST)

 On Tue, 23 Jul 2002, Peter Pentchev wrote:
 
 This has been fixed in:
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=39953
 
 Merging the ports patch into -STABLE would be nice.
 
 -- 
 Jan 'Winfried' Srzednicki
 winfried@expro.pl
 
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: roam 
Responsible-Changed-When: Wed Jan 22 02:11:17 PST 2003 
Responsible-Changed-Why:  
Over to our OpenSSH maintainer; as noted in a follow-up, this problem 
has already been fixed in the security/openssh* ports in another PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40894 
State-Changed-From-To: open->feedback 
State-Changed-By: des 
State-Changed-When: Wed Jan 22 06:14:48 PST 2003 
State-Changed-Why:  
Fixed in -CURRENT, will be fixed in -STABLE before 4.8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40894 
State-Changed-From-To: feedback->closed 
State-Changed-By: des 
State-Changed-When: Mon Feb 10 02:54:33 PST 2003 
State-Changed-Why:  
Fixed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40894 
>Unformatted:
