Re: sshd login
ryan beasley wrote: On Fri, Jan 03, 2003 at 02:54:57PM -0200, Daniel C. Sobral wrote: >Alas, that *did* work. My first attempt (replying to another message) >was done with wrong permissions. > >Question... it did not have this trouble before Dec 13, but Dec 30 it >had (no worlds in between). The sshd_config I use is the standard one. >So... why? Hm, no idea. Did you possibly change anything that'd stop the kernel from returning ICMP port unreachables to sshd, like packet filtering on lo0, or turning on blackhole(4), etc? Those are the first things that'd come to mind explaining the sudden delays as the local lookup attempts would've begun the instant you were using OpenSSH + privilege separation + chroot. Now that you mention it... This does coincide with me noticing I hadn't brought over the rc.sysctl I use on the other firewalls, which includes blackhole(4). Ok, mystery solved. Question, though... why is it querying the reverse if I specifically *told* it not to? -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Outros: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Uh-oh -- WHY am I suddenly thinking of a VENERABLE religious leader frolicking on a FORT LAUDERDALE weekend? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: sshd login
ryan beasley wrote: On Fri, Jan 03, 2003 at 11:57:53AM -0200, Daniel C. Sobral wrote: >Daniel C. Sobral wrote: > > >>Starting around the end of the year, sshd is taking a LONG time to >>proceed, just a bit after the few first packets. > >Ok, I found the query packets, on the loopback: >17.199.31.172.in-addr.arpa. (44) *snip* >Only there is no reason in hell for it to query 127.0.0.1. My >configuration files: *snip* >Anyone has suggestions? Are you using privilege separation? Have you always used privilege separation? If the answer to the first is "yes" and the second "no", then I'm betting that it's the forked pre-auth process that's chroot'd to /var/empty (or whatever you set the chroot dir to). You'd need to stick a hosts/resolv.conf in the chroot environment. (e.g., /var/empty/etc/resolv.conf) Alas, that *did* work. My first attempt (replying to another message) was done with wrong permissions. Question... it did not have this trouble before Dec 13, but Dec 30 it had (no worlds in between). The sshd_config I use is the standard one. So... why? -- Daniel C. Sobral Gerência de Operações Divisão de Comunicação de Dados Coordenação de Segurança TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: sshd login
Gregory Neil Shapiro wrote: dcs> Ok, I found the query packets, on the loopback: dcs> [root@piratinga root]# tcpdump -ni lo0 -s1500 dcs> tcpdump: listening on lo0 dcs> 11:54:05.602126 127.0.0.1.49202 > 127.0.0.1.53: 41012+ PTR? dcs> 17.199.31.172.in-addr.arpa. (44) dcs> 11:54:10.605353 127.0.0.1.49203 > 127.0.0.1.53: 41012+ PTR? dcs> 17.199.31.172.in-addr.arpa. (44) dcs> 11:54:20.611284 127.0.0.1.49204 > 127.0.0.1.53: 41012+ PTR? dcs> 17.199.31.172.in-addr.arpa. (44) dcs> Only there is no reason in hell for it to query 127.0.0.1. I can't guarantee this will work, but give it a try. Put a copy of your resolv.conf in /var/empty/etc/ and restart sshd. That doesn't work. -- Daniel C. Sobral Gerência de Operações Divisão de Comunicação de Dados Coordenação de Segurança TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: sshd login
dcs> Ok, I found the query packets, on the loopback: dcs> [root@piratinga root]# tcpdump -ni lo0 -s1500 dcs> tcpdump: listening on lo0 dcs> 11:54:05.602126 127.0.0.1.49202 > 127.0.0.1.53: 41012+ PTR? dcs> 17.199.31.172.in-addr.arpa. (44) dcs> 11:54:10.605353 127.0.0.1.49203 > 127.0.0.1.53: 41012+ PTR? dcs> 17.199.31.172.in-addr.arpa. (44) dcs> 11:54:20.611284 127.0.0.1.49204 > 127.0.0.1.53: 41012+ PTR? dcs> 17.199.31.172.in-addr.arpa. (44) dcs> Only there is no reason in hell for it to query 127.0.0.1. I can't guarantee this will work, but give it a try. Put a copy of your resolv.conf in /var/empty/etc/ and restart sshd. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: sshd login
Daniel C. Sobral wrote: Starting around the end of the year, sshd is taking a LONG time to proceed, just a bit after the few first packets. Ok, I found the query packets, on the loopback: [root@piratinga root]# tcpdump -ni lo0 -s1500 tcpdump: listening on lo0 11:54:05.602126 127.0.0.1.49202 > 127.0.0.1.53: 41012+ PTR? 17.199.31.172.in-addr.arpa. (44) 11:54:10.605353 127.0.0.1.49203 > 127.0.0.1.53: 41012+ PTR? 17.199.31.172.in-addr.arpa. (44) 11:54:20.611284 127.0.0.1.49204 > 127.0.0.1.53: 41012+ PTR? 17.199.31.172.in-addr.arpa. (44) Only there is no reason in hell for it to query 127.0.0.1. My configuration files: [root@piratinga root]# cat /etc/resolv.conf domain intra.tcoip.com.br nameserver 10.9.35.5 nameserver 10.0.14.20 [root@piratinga root]# cat /etc/nsswitch.conf hosts: files dns [root@piratinga root]# cat /etc/host.conf # Auto-generated from nsswitch.conf, do not edit hosts bind Anyone has suggestions? -- Daniel C. Sobral Gerência de Operações Divisão de Comunicação de Dados Coordenação de Segurança TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
sshd login
Starting around the end of the year, sshd is taking a LONG time to proceed, just a bit after the few first packets. Here: 11:25:03.624519 172.31.199.17.2058 > 172.31.199.20.22: S [tcp sum ok] 2790790408:2790790408(0) win 57344 (DF) (ttl 64, id 17561, len 60) 11:25:03.624771 172.31.199.20.22 > 172.31.199.17.2058: S [tcp sum ok] 714515882:714515882(0) ack 2790790409 win 65535 (DF) (ttl 64, id 6630, len 60) 11:25:03.624825 172.31.199.17.2058 > 172.31.199.20.22: . [tcp sum ok] 1:1(0) ack 1 win 57920 (DF) (ttl 64, id 17562, len 52) 11:25:03.627353 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 1:40(39) ack 1 win 33304 (DF) (ttl 64, id 6631, len 91) 11:25:03.627677 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 1:40(39) ack 40 win 57920 (DF) (ttl 64, id 17563, len 91) 11:25:03.631703 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 40:576(536) ack 40 win 33304 (DF) (ttl 64, id 6632, len 588) 11:25:03.631786 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 40:576(536) ack 576 win 57384 (DF) (ttl 64, id 17564, len 588) 11:25:03.731944 172.31.199.20.22 > 172.31.199.17.2058: . [tcp sum ok] 576:576(0) ack 576 win 33304 (DF) (ttl 64, id 6633, len 52) 11:25:03.731990 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 576:600(24) ack 576 win 57920 (DF) (ttl 64, id 17566, len 76) 11:25:03.740924 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 576:1000(424) ack 600 win 33304 (DF) (ttl 64, id 6634, len 476) 11:25:03.775190 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 600:1016(416) ack 1000 win 57920 (DF) (ttl 64, id 17567, len 468) 11:25:03.826489 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 1000:1928(928) ack 1016 win 33304 (DF) (ttl 64, id 6635, len 980) 11:25:03.878175 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 1016:1032(16) ack 1928 win 57920 (DF) (ttl 64, id 17570, len 68) 11:25:03.978067 172.31.199.20.22 > 172.31.199.17.2058: . [tcp sum ok] 1928:1928(0) ack 1032 win 33304 (DF) (ttl 64, id 6637, len 52) 11:25:03.978113 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 1032:1080(48) ack 1928 win 57920 (DF) (ttl 64, id 17587, len 100) 11:25:03.978519 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 1928:1976(48) ack 1080 win 33304 (DF) (ttl 64, id 6638, len 100) 11:25:03.978750 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 1080:1144(64) ack 1976 win 57920 (DF) (ttl 64, id 17588, len 116) 11:25:04.078627 172.31.199.20.22 > 172.31.199.17.2058: . [tcp sum ok] 1976:1976(0) ack 1144 win 33304 (DF) (ttl 64, id 6640, len 52) At this point, ps alx shows: 0 6609 6387 0 4 0 4004 2072 sbwait S ??0:00.02 /usr/sbin/sshd 22 6610 6609 0 4 0 4076 2200 kqread S ??0:00.08 sshd: [net] (sshd) and then: 0 6609 6387 0 4 0 4004 2072 sbwait I ??0:00.02 /usr/sbin/sshd 22 6610 6609 0 4 0 4076 2200 kqread S ??0:00.08 sshd: [net] (sshd) It proceeds from there after a while. 11:26:19.030401 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 1976:2056(80) ack 1144 win 33304 (DF) (ttl 64, id 11691, len 132) [etc] Ok, this is 75 seconds, which is the common timeout for NS. Thing is... 1) No NS queries are made during this process. 2) Nothing changed in the environment, except updating FreeBSD. 3) My sshd is not configured to check for reverse. Anyone has any clues? -- Daniel C. Sobral Gerência de Operações Divisão de Comunicação de Dados Coordenação de Segurança TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
SSHD login problems
I have just right now updated to the -CURRENT branch. Well unfortunately it appears that apparently remove ssh login to the freebsd box is failing with the followgin login screen message: sshd[480]: fatal: ssh_msg_send: write -- Marcin Dalecki To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: sshd login problem
On Fri, Jul 05, 2002 at 03:29:13PM +0200, Dag-Erling Smorgrav wrote: > Bernd Walter <[EMAIL PROTECTED]> writes: > > cicely10 is an alpha running -current from 3. Jul. > > The kernel is a day younger. > > What does 'ident /usr/sbin/sshd | grep monitor' say? [51]cicely10> ident /usr/sbin/sshd | grep monitor $OpenBSD: monitor_mm.c,v 1.6 2002/06/04 23:05:49 markus Exp $ $OpenBSD: monitor.c,v 1.18 2002/06/26 13:20:57 deraadt Exp $ $FreeBSD: src/crypto/openssh/monitor.c,v 1.7 2002/07/02 13:07:17 des Exp $ -- B.Walter COSMO-Project http://www.cosmo-project.de [EMAIL PROTECTED] Usergroup [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: sshd login problem
Bernd Walter <[EMAIL PROTECTED]> writes: > cicely10 is an alpha running -current from 3. Jul. > The kernel is a day younger. What does 'ident /usr/sbin/sshd | grep monitor' say? DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message