OpenSSH gurus:
Apologies if this has been covered already (or is a genuine FAQ). I've
searched both Google and MARC extensively on this issue, and have come up
empty.
I use OpenSSH 3.0.2p1 (openssl-0.9.6c) on a group of Linux (Slackware 8.0,
kernel 2.4.13, glibc 2.2.3) machines that have this in /etc/hosts:
10.1.1.2 s1 s1.[domain].com
...
10.1.1.6 s5 s5.[domain].com
This is in /etc/host.conf:
order hosts, bind
This is in /etc/nsswitch.conf:
hosts: files dns
This is in /etc/resolv.conf:
domain [domain].com
nameserver 127.0.0.1
If I ssh from one of these servers to another using IP addresses, the
connection takes place in milliseconds (they are 1 GHz, 1 GB RAM machines
with 100-base-TX switched Ethernet). However, trying to ssh using a
hostname (e.g. "s1" or "s1.[domain].com") results in a
five-second delay
before successful authentication takes place.
Running strace on the ssh command indicates that:
1. /etc/nsswitch.conf is read.
2. /etc/passwd, group, and services are read.
3. /etc/resolv.conf is read.
4. /etc/host.conf is read.
5. /etc/hosts is read.
6. Multiple DNS queries are made to my nameserver (127.0.0.1).
7. /etc/resolv.conf is read again.
8. ssh finally has the correct IP address and begins a key-auth
dialogue that works without error.
Every UNIX networking program I know of (e.g. telnet, ftp, ping) obeys
either host.conf or nsswitch.conf, which in my case both clearly state
that /etc/hosts should be consulted before a DNS lookup is performed.
But OpenSSH seems to ignore the host data it reads in step 5, consulting
my DNS servers instead.
(This is a problem because my local resolver, DJB's dnscache, follows the
delegation for s[1-5].[domain].com all the way to the authoritative
nameservers, which are s5 and s1; all the servers are NAT'ed behind a PIX,
rendering them inaccessable to each other via their external addresses.)
This delay is annoying, and wouldn't happen if OpenSSH read /etc/hosts and
used that data, as it should.
--
Kevin DeGraaf