Professional Web Applications Themes

sshd behaviour - FreeBSD

Hi. I see strange to me behaviour of sshd. Please tell me is it bug or feature? I use following network configuration: ####### ########### ########## # LAN # -> # gateway # -> # router # ####### ########### ########## Gateway machine has sshd. Normally I work from LAN on the gateway good. But when connection with provider's router broken: ####### ########### ########## # LAN # -> # gateway # -X-> # router # ####### ########### ########## I can't login from LAN to gateway. Moreover, I can't login from gateway to itself, using loop interface. But other Network servicec working good. ...

  1. #1

    Default sshd behaviour

    Hi. I see strange to me behaviour of sshd. Please tell me is it
    bug or feature?

    I use following network configuration:

    ####### ########### ##########
    # LAN # -> # gateway # -> # router #
    ####### ########### ##########

    Gateway machine has sshd. Normally I work from LAN on the gateway
    good. But when connection with provider's router broken:

    ####### ########### ##########
    # LAN # -> # gateway # -X-> # router #
    ####### ########### ##########

    I can't login from LAN to gateway. Moreover, I can't login from
    gateway to itself, using loop interface. But other Network
    servicec working good. For example, I can do
    # telnet gateway 25
    from LAN.

    Provider's router is default router in /etc/rc.conf.

    --
    Sensory yours, Eugene Minkovskii
    Сенсорно ваш, Евгений Миньковский
    Eugene Guest

  2. #2

    Default Re: sshd behaviour

    On Wed, 16 Mar 2005 10:41:09 +0300
    "Eugene M. Minkovskii" <ru> wrote:
     

    I've seen this same behavior on a 5.3 server when Bind crashes/gets
    messed up by cPanel. I suspect the problem is ssh trying to do a reverse
    dns lookup, which doesn't timeout until the login has timed out as well.
    In my case I can see a fast response from the server if I telnet to it
    on port 22, but I never get the password prompt. The logfiles also show
    login timeouts when I'm finally able to login again.

    You might try setting "UseDNS no" in /etc/ssh/sshd_config. I believe
    this will still make it record the ip used for login, but it won't try
    and do a reverse dns lookup on the ip.

    HTH,
    Jacob
    Jacob Guest

  3. #3

    Default Re: sshd behaviour

    On Wed, Mar 16, 2005 at 10:41:09AM +0300, Eugene M. Minkovskii wrote: 

    As another poster mentioned, the problem is likely related to DNS, and I
    have experienced it as well. If you are using Privilege Separation,
    then an sshd process will chroot itself into /var/empty before
    performing authentication. /var/empty is itself usually empty. One
    thing you can do is to make the dir /var/empty/etc and then drop a copy
    of your /etc/hosts file into the newly created /var/empty/etc/
    directory. You might want to make sure that the hosts file contains a
    mapping to the LAN machines which you want to ssh from.

    Keep in mind that /var/empty has the schg flag set, so you won't be able
    to copy anything to it without disabling this first. See more at `man
    chflags`. Try something like this:

    # chflags -R noschg /var/empty
    # mkdir /var/empty/etc
    # cp /etc/hosts /var/empty/etc
    # chflags -R schg /var/empty

    This will likely clear up your problem.

    Nathan

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFCOFgsO0ZIEthSfkkRAjAcAKCoKQClkmST1vJC0A051k CPtdBfnACcCjsE
    KYDlHo7CtdAsJaJK5xsshaA=
    =sywT
    -----END PGP SIGNATURE-----

    Nathan Guest

  4. #4

    Default Re: sshd behaviour

    On Wed, Mar 16, 2005 at 10:00:44AM -0600, Nathan Kinkade wrote:
    "
    " As another poster mentioned, the problem is likely related to DNS, and I
    " have experienced it as well. If you are using Privilege Separation,
    " then an sshd process will chroot itself into /var/empty before
    " performing authentication. /var/empty is itself usually empty. One
    " thing you can do is to make the dir /var/empty/etc and then drop a copy
    " of your /etc/hosts file into the newly created /var/empty/etc/
    " directory. You might want to make sure that the hosts file contains a
    " mapping to the LAN machines which you want to ssh from.
    "
    " Keep in mind that /var/empty has the schg flag set, so you won't be able
    " to copy anything to it without disabling this first. See more at `man
    " chflags`. Try something like this:
    "
    " # chflags -R noschg /var/empty
    " # mkdir /var/empty/etc
    " # cp /etc/hosts /var/empty/etc
    " # chflags -R schg /var/empty
    "
    " This will likely clear up your problem.
    "
    " Nathan

    Thank you, Nathan. Can I put soft link into /var/empty/etc (this
    is crossdevice link, and I can't put hard link in it)? And does I
    realy need -R key in last command which you recomended? This mean
    that directory /var/empty/etc has schg flag too. Is it nessesery?



    --
    Sensory yours, Eugene Minkovskii
    Сенсорно ваш, Евгений Миньковский
    Eugene Guest

  5. #5

    Default Re: sshd behaviour

    On Wed, Mar 16, 2005 at 08:04:48PM +0300, Eugene M. Minkovskii wrote: 

    From `man sshd`:

    /var/empty
    chroot(2) directory used by sshd during privilege separation in the
    pre-authentication phase. The directory should not contain any files
    and must be owned by root and not group or world-writable.

    I assume you can follow these rules. The noschg flags may be something
    that the FreeBSD developers decided to do for added security, and I
    don't see any practical reason to alter it. Regarding soft/hard links
    in the chrooted dir, I don't know if that would work. I suspect no, as
    it would somewhat defeat the purpose of the chroot. Cross-device link
    error: hard links will only work within a single filesystem, not across
    multiple filesystems.

    Nathan

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFCOaWVO0ZIEthSfkkRAjBoAKCKW3063BV/44vwm2K4jDKhxrJvxgCgy8ms
    TOrn97Z3JIRT3RIRh4LtiIw=
    =bSPK
    -----END PGP SIGNATURE-----

    Nathan Guest

Similar Threads

  1. sshd
    By Stevan in forum FreeBSD
    Replies: 9
    Last Post: March 2nd, 11:10 PM
  2. Trouble with sshd in jail
    By musikcom@ngs.ru in forum FreeBSD
    Replies: 3
    Last Post: February 17th, 04:03 PM
  3. sshd goes catatonic on AIX 5.2 ML1
    By Florian M. Weps in forum AIX
    Replies: 4
    Last Post: August 31st, 03:17 PM
  4. Also won't for me (no sshd)
    By Colin Watson in forum Debian
    Replies: 0
    Last Post: July 8th, 11:00 AM
  5. sshd start weirdness
    By Bob Bernstein in forum Debian
    Replies: 3
    Last Post: July 6th, 06:30 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139