Hi All, I'm Kendell, and I'm new to the list.
I've been working on a SSH VPN client. I've noticed a possible
glitch/bug with OpenSSH on various platforms (Linux and various BSD, but
Windows seems to be OK for some reason.)
The SSH VPN client can configure SSH tunnels using DNS names instead of IP
addresses. It seems that if the client "rapidly" configures a number
of
tunnels using DNS names instead of IP addy's (say, 5-10 tunnels,) sshd
hangs for a minute or more. Eventually sshd "comes back", but in the
mean
time, no terminal interaction or any other SSH traffic is sent from the
server (based on Ethereal observation.)
We put sshd into debug mode, and saw the hang was during DNS lookups. A
colleague found that running sshd with the -4 option made the problem "go
away" (this option forces sshd to run only in IPv4 mode...I think.)
The problem manifests itself (at least on Linux) even if the Kernel is
compiled with IPv6 support.
Is there possibly some problem with support for IP and/or DNS lookup
for SSH tunnels?
My team and I are available for any questions regarding reproducing the
problem, and/or other assistance.
Thanks!
Kendell Welch
Vast Range Security
http://www.vastrange.com/
P.S. For those of you with Windows 2K/XP, the problem can be demonstrated
by using the free-trial version of Safe Passage from:
http://www.vastrange.com/
Kendell Welch wrote:> Hi All, I'm Kendell, and I'm new to the list. > > I've been working on a SSH VPN client. I've noticed a possible > glitch/bug with OpenSSH on various platforms (Linux and various BSD, but > Windows seems to be OK for some reason.)Which Linux distributions/versions, which BSD's, which versions of OpenSSH compiled with which options?> The SSH VPN client can configure SSH tunnels using DNS names instead of IP > addresses. It seems that if the client "rapidly" configures a number of > tunnels using DNS names instead of IP addy's (say, 5-10 tunnels,) sshd > hangs for a minute or more. Eventually sshd "comes back", but in the mean > time, no terminal interaction or any other SSH traffic is sent from the > server (based on Ethereal observation.)It sounds like getaddrinfo() is blocking. Some glibc's are known to take a long time to resolve IPv4or6 addresses: http://www.openssh.com/faq.html#3.3.> We put sshd into debug mode, and saw the hang was during DNS lookups. A > colleague found that running sshd with the -4 option made the problem "go > away" (this option forces sshd to run only in IPv4 mode...I think.)[...]> P.S. For those of you with Windows 2K/XP, the problem can be demonstrated > by using the free-trial version of Safe Passage from: > http://www.vastrange.com/The features for this list " Works with any SSH Server account with no special configurations" and "Securely encrypts any TCP/IP or DNS traffic via SSH keeping your transfered data safe and private." Does this mean that UDP is not supported? It sound like you're mapping connect() calls (and/or the Winsock equivalent) into direct-tcpip channel requests? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Below are some details about a few of the servers on which I encountered the hanging DNS problem...I'm afraid that the BSD account I had trouble with is no longer available...Windows OpenSSH servers have never had the problem as best as I can tell. ---Machine 2--- Red Hat Linux release 8.0 (Psyche) Kernel: Linux 2.4.23-xfs glibc-2.2.93-5 glibc-devel-2.2.93-5 glibc-common-2.2.93-5 glibc-kernheaders-2.4-7.20 OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f --------------- ---Machine 2--- Custom Distribution Kernel: Linux 2.4.25 Glibc Version 2.1 - that's the best answer I could get from our admin :P OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6g 9 Aug 2002 --------------- ---Machine 3--- Nomad Linux 2.0 Kernel: 2.4.25 #1 SMP Glibc Version 2.1 - that's the best answer I could get from our admin :P OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6g 9 Aug 2002 --------------- Thanks! Kendell On Mon, 7 Jun 2004, Kendell Welch wrote:> Hi All, I'm Kendell, and I'm new to the list. > > I've been working on a SSH VPN client. I've noticed a possible > glitch/bug with OpenSSH on various platforms (Linux and various BSD, but > Windows seems to be OK for some reason.) > > The SSH VPN client can configure SSH tunnels using DNS names instead of IP > addresses. It seems that if the client "rapidly" configures a number of > tunnels using DNS names instead of IP addy's (say, 5-10 tunnels,) sshd > hangs for a minute or more. Eventually sshd "comes back", but in the mean > time, no terminal interaction or any other SSH traffic is sent from the > server (based on Ethereal observation.) > > We put sshd into debug mode, and saw the hang was during DNS lookups. A > colleague found that running sshd with the -4 option made the problem "go > away" (this option forces sshd to run only in IPv4 mode...I think.) > > The problem manifests itself (at least on Linux) even if the Kernel is > compiled with IPv6 support. > > Is there possibly some problem with support for IP and/or DNS lookup > for SSH tunnels? > > My team and I are available for any questions regarding reproducing the > problem, and/or other assistance. > > Thanks! > Kendell Welch > Vast Range Security > http://www.vastrange.com/ > > P.S. For those of you with Windows 2K/XP, the problem can be demonstrated > by using the free-trial version of Safe Passage from: > http://www.vastrange.com/ > >