Re: sshd login

[Daniel C. Sobral]

ryan beasley wrote:


On Fri, Jan 03, 2003 at 02:54:57PM -0200, Daniel C. Sobral wrote:

>Alas, that *did* work. My first attempt (replying to another message)
>was done with wrong permissions.
>
>Question... it did not have this trouble before Dec 13, but Dec 30 it
>had (no worlds in between). The sshd_config I use is the standard one.
>So... why?


Hm, no idea.  Did you possibly change anything that'd stop the kernel
from returning ICMP port unreachables to sshd, like packet 
filtering on
lo0, or turning on blackhole(4), etc?  Those are the first things 
that'd
come to mind explaining the sudden delays as the local lookup attempts
would've begun the instant you were using OpenSSH + privilege 
separation
+ chroot.

Now that you mention it... This does coincide with me noticing I hadn't 
brought over the rc.sysctl I use on the other firewalls, which includes 
blackhole(4).

Ok, mystery solved. Question, though... why is it querying the reverse 
if I specifically *told* it not to?

--
Daniel C. Sobral   (8-DCS)
Gerencia de Operacoes
Divisao de Comunicacao de Dados
Coordenacao de Seguranca
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

Outros:
	[EMAIL PROTECTED]
	[EMAIL PROTECTED]
	[EMAIL PROTECTED]

Uh-oh -- WHY am I suddenly thinking of a VENERABLE religious leader
frolicking on a FORT LAUDERDALE weekend?


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: sshd login

[Daniel C. Sobral]

ryan beasley wrote:


On Fri, Jan 03, 2003 at 11:57:53AM -0200, Daniel C. Sobral wrote:

>Daniel C. Sobral wrote:
>
>
>>Starting around the end of the year, sshd is taking a LONG time to
>>proceed, just a bit after the few first packets.
>
>Ok, I found the query packets, on the loopback:
>17.199.31.172.in-addr.arpa. (44)

*snip*

>Only there is no reason in hell for it to query 127.0.0.1. My
>configuration files:

*snip*

>Anyone has suggestions?


Are you using privilege separation?  Have you always used privilege
separation?  If the answer to the first is "yes" and the second "no",
then I'm betting that it's the forked pre-auth process that's chroot'd
to /var/empty (or whatever you set the chroot dir to).  You'd need to
stick a hosts/resolv.conf in the chroot environment. (e.g.,
/var/empty/etc/resolv.conf)


Alas, that *did* work. My first attempt (replying to another message) 
was done with wrong permissions.

Question... it did not have this trouble before Dec 13, but Dec 30 it 
had (no worlds in between). The sshd_config I use is the standard one. 
So... why?

--
Daniel C. Sobral
Gerência de Operações
Divisão de Comunicação de Dados
Coordenação de Segurança
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail:	[EMAIL PROTECTED]
	[EMAIL PROTECTED]
	[EMAIL PROTECTED]



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: sshd login

[Daniel C. Sobral]

Gregory Neil Shapiro wrote:


dcs> Ok, I found the query packets, on the loopback:

dcs> [root@piratinga root]# tcpdump -ni lo0 -s1500
dcs> tcpdump: listening on lo0
dcs> 11:54:05.602126 127.0.0.1.49202 > 127.0.0.1.53:  41012+ PTR?
dcs> 17.199.31.172.in-addr.arpa. (44)
dcs> 11:54:10.605353 127.0.0.1.49203 > 127.0.0.1.53:  41012+ PTR?
dcs> 17.199.31.172.in-addr.arpa. (44)
dcs> 11:54:20.611284 127.0.0.1.49204 > 127.0.0.1.53:  41012+ PTR?
dcs> 17.199.31.172.in-addr.arpa. (44)

dcs> Only there is no reason in hell for it to query 127.0.0.1.

I can't guarantee this will work, but give it a try.  Put a copy of your
resolv.conf in /var/empty/etc/ and restart sshd.


That doesn't work.

--
Daniel C. Sobral
Gerência de Operações
Divisão de Comunicação de Dados
Coordenação de Segurança
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail:	[EMAIL PROTECTED]
	[EMAIL PROTECTED]
	[EMAIL PROTECTED]



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: sshd login

[Gregory Neil Shapiro]

dcs> Ok, I found the query packets, on the loopback:

dcs> [root@piratinga root]# tcpdump -ni lo0 -s1500
dcs> tcpdump: listening on lo0
dcs> 11:54:05.602126 127.0.0.1.49202 > 127.0.0.1.53:  41012+ PTR? 
dcs> 17.199.31.172.in-addr.arpa. (44)
dcs> 11:54:10.605353 127.0.0.1.49203 > 127.0.0.1.53:  41012+ PTR? 
dcs> 17.199.31.172.in-addr.arpa. (44)
dcs> 11:54:20.611284 127.0.0.1.49204 > 127.0.0.1.53:  41012+ PTR? 
dcs> 17.199.31.172.in-addr.arpa. (44)

dcs> Only there is no reason in hell for it to query 127.0.0.1.

I can't guarantee this will work, but give it a try.  Put a copy of your
resolv.conf in /var/empty/etc/ and restart sshd.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: sshd login

[Daniel C. Sobral]

Daniel C. Sobral wrote:


Starting around the end of the year, sshd is taking a LONG time to
proceed, just a bit after the few first packets.


Ok, I found the query packets, on the loopback:

[root@piratinga root]# tcpdump -ni lo0 -s1500
tcpdump: listening on lo0
11:54:05.602126 127.0.0.1.49202 > 127.0.0.1.53:  41012+ PTR? 
17.199.31.172.in-addr.arpa. (44)
11:54:10.605353 127.0.0.1.49203 > 127.0.0.1.53:  41012+ PTR? 
17.199.31.172.in-addr.arpa. (44)
11:54:20.611284 127.0.0.1.49204 > 127.0.0.1.53:  41012+ PTR? 
17.199.31.172.in-addr.arpa. (44)

Only there is no reason in hell for it to query 127.0.0.1. My 
configuration files:

[root@piratinga root]# cat /etc/resolv.conf
domain intra.tcoip.com.br
nameserver 10.9.35.5
nameserver 10.0.14.20
[root@piratinga root]# cat /etc/nsswitch.conf
hosts: files dns
[root@piratinga root]# cat /etc/host.conf
# Auto-generated from nsswitch.conf, do not edit
hosts
bind

Anyone has suggestions?

--
Daniel C. Sobral
Gerência de Operações
Divisão de Comunicação de Dados
Coordenação de Segurança
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail:	[EMAIL PROTECTED]
	[EMAIL PROTECTED]
	[EMAIL PROTECTED]



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

sshd login

[Daniel C. Sobral]

Starting around the end of the year, sshd is taking a LONG time to 
proceed, just a bit after the few first packets.

Here:

11:25:03.624519 172.31.199.17.2058 > 172.31.199.20.22: S [tcp sum ok] 
2790790408:2790790408(0) win 57344  (DF) (ttl 64, id 17561, len 60)
11:25:03.624771 172.31.199.20.22 > 172.31.199.17.2058: S [tcp sum ok] 
714515882:714515882(0) ack 2790790409 win 65535  (DF) (ttl 64, id 6630, len 60)
11:25:03.624825 172.31.199.17.2058 > 172.31.199.20.22: . [tcp sum ok] 
1:1(0) ack 1 win 57920  (DF) (ttl 
64, id 17562, len 52)
11:25:03.627353 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 
1:40(39) ack 1 win 33304  (DF) (ttl 
64, id 6631, len 91)
11:25:03.627677 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 
1:40(39) ack 40 win 57920  (DF) (ttl 
64, id 17563, len 91)
11:25:03.631703 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 
40:576(536) ack 40 win 33304  (DF) 
(ttl 64, id 6632, len 588)
11:25:03.631786 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 
40:576(536) ack 576 win 57384  (DF) 
(ttl 64, id 17564, len 588)
11:25:03.731944 172.31.199.20.22 > 172.31.199.17.2058: . [tcp sum ok] 
576:576(0) ack 576 win 33304  (DF) 
(ttl 64, id 6633, len 52)
11:25:03.731990 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 
576:600(24) ack 576 win 57920  (DF) 
(ttl 64, id 17566, len 76)
11:25:03.740924 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 
576:1000(424) ack 600 win 33304  
(DF) (ttl 64, id 6634, len 476)
11:25:03.775190 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 
600:1016(416) ack 1000 win 57920  
(DF) (ttl 64, id 17567, len 468)
11:25:03.826489 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 
1000:1928(928) ack 1016 win 33304  
(DF) (ttl 64, id 6635, len 980)
11:25:03.878175 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 
1016:1032(16) ack 1928 win 57920  
(DF) (ttl 64, id 17570, len 68)
11:25:03.978067 172.31.199.20.22 > 172.31.199.17.2058: . [tcp sum ok] 
1928:1928(0) ack 1032 win 33304  
(DF) (ttl 64, id 6637, len 52)
11:25:03.978113 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 
1032:1080(48) ack 1928 win 57920  
(DF) (ttl 64, id 17587, len 100)
11:25:03.978519 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 
1928:1976(48) ack 1080 win 33304  
(DF) (ttl 64, id 6638, len 100)
11:25:03.978750 172.31.199.17.2058 > 172.31.199.20.22: P [tcp sum ok] 
1080:1144(64) ack 1976 win 57920  
(DF) (ttl 64, id 17588, len 116)
11:25:04.078627 172.31.199.20.22 > 172.31.199.17.2058: . [tcp sum ok] 
1976:1976(0) ack 1144 win 33304  
(DF) (ttl 64, id 6640, len 52)

At this point, ps alx shows:

0  6609  6387   0   4  0  4004 2072 sbwait S ??0:00.02 
/usr/sbin/sshd
   22  6610  6609   0   4  0  4076 2200 kqread S ??0:00.08 
sshd: [net] (sshd)

and then:

0  6609  6387   0   4  0  4004 2072 sbwait I ??0:00.02 
/usr/sbin/sshd
   22  6610  6609   0   4  0  4076 2200 kqread S ??0:00.08 
sshd: [net] (sshd)

It proceeds from there after a while.

11:26:19.030401 172.31.199.20.22 > 172.31.199.17.2058: P [tcp sum ok] 
1976:2056(80) ack 1144 win 33304  
(DF) (ttl 64, id 11691, len 132)

[etc]

Ok, this is 75 seconds, which is the common timeout for NS. Thing is...

1) No NS queries are made during this process.
2) Nothing changed in the environment, except updating FreeBSD.
3) My sshd is not configured to check for reverse.

Anyone has any clues?

--
Daniel C. Sobral
Gerência de Operações
Divisão de Comunicação de Dados
Coordenação de Segurança
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail:	[EMAIL PROTECTED]
	[EMAIL PROTECTED]
	[EMAIL PROTECTED]



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

SSHD login problems

[Marcin Dalecki]

I have just right now updated to the -CURRENT branch.
Well unfortunately it appears that apparently remove ssh login to the
freebsd box is failing with the followgin login screen message:

sshd[480]: fatal: ssh_msg_send: write

--
	Marcin Dalecki


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: sshd login problem

[Bernd Walter]

On Fri, Jul 05, 2002 at 03:29:13PM +0200, Dag-Erling Smorgrav wrote:
> Bernd Walter <[EMAIL PROTECTED]> writes:
> > cicely10 is an alpha running -current from 3. Jul.
> > The kernel is a day younger.
> 
> What does 'ident /usr/sbin/sshd | grep monitor' say?

[51]cicely10> ident /usr/sbin/sshd | grep monitor
 $OpenBSD: monitor_mm.c,v 1.6 2002/06/04 23:05:49 markus Exp $
 $OpenBSD: monitor.c,v 1.18 2002/06/26 13:20:57 deraadt Exp $
 $FreeBSD: src/crypto/openssh/monitor.c,v 1.7 2002/07/02 13:07:17 des Exp $

-- 
B.Walter  COSMO-Project http://www.cosmo-project.de
[EMAIL PROTECTED] Usergroup   [EMAIL PROTECTED]


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: sshd login problem

[Dag-Erling Smorgrav]

Bernd Walter <[EMAIL PROTECTED]> writes:
> cicely10 is an alpha running -current from 3. Jul.
> The kernel is a day younger.

What does 'ident /usr/sbin/sshd | grep monitor' say?

DES
-- 
Dag-Erling Smorgrav - [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message