Ok, so my situation : Connecting to internal machines via a bastion server in AWS. Because I'm raising and tearing down the infrastructure a lot at this stage with Terraform, the IP addresses change. For the management subnet, I have a private DNS zone defined, and a public zone with a record for the bastion server. What I wanted ; to just be able to define a config entry thus : --- Host graylog Hostname graylog.management ProxyCommand ssh -q -W %h:%p user at jumpbox.my.aws.zone --- This takes a long time (> 30s)to connect because the client is doing a DNS lookup on the Hostname, which apparently has to fail before it attempts to connect. Add this to your /etc/hosts ... --- 127.0.0.1 graylog.management --- ... and connection is swift. This seems like a rather grody workaround, because one day I may have a VPN server inside this cloud and want DNS lookups to work properly. Is there a way to suppress this DNS lookup happening locally, when using ProxyCommand? Is this in the same set of things being discussed at http://marc.info/?l=openssh-unix-dev&m=139556798100796&w=2 and https://bugzilla.mindrot.org/show_bug.cgi?id=2218 ? I don't have CanonicalizeHostName on, so what's doing the lookup?
Please send verbose output, i.e. "ssh -vvv ..." On Wed, 1 Mar 2017, Adrian Wilkins wrote:> Ok, so my situation : > > Connecting to internal machines via a bastion server in AWS. > > Because I'm raising and tearing down the infrastructure a lot at this stage > with Terraform, the IP addresses change. > > For the management subnet, I have a private DNS zone defined, and a public > zone with a record for the bastion server. > > What I wanted ; to just be able to define a config entry thus : > > --- > > Host graylog > Hostname graylog.management > ProxyCommand ssh -q -W %h:%p user at jumpbox.my.aws.zone > > --- > > This takes a long time (> 30s)to connect because the client is doing a DNS > lookup on the Hostname, which apparently has to fail before it attempts to > connect. > > Add this to your /etc/hosts ... > > --- > > 127.0.0.1 graylog.management > > --- > > ... and connection is swift. This seems like a rather grody workaround, > because one day I may have a VPN server inside this cloud and want DNS lookups > to work properly. > > Is there a way to suppress this DNS lookup happening locally, when using > ProxyCommand? > > Is this in the same set of things being discussed at > > http://marc.info/?l=openssh-unix-dev&m=139556798100796&w=2 > > and https://bugzilla.mindrot.org/show_bug.cgi?id=2218 > > ? > > I don't have CanonicalizeHostName on, so what's doing the lookup? > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
On 01/03/17 21:33, Damien Miller wrote:> Please send verbose output, i.e. "ssh -vvv ..." >Sorry for the large delay... Attached logs. Have anonymised some things. No notable differences that I can spot. The *-host.log file is with an entry pointing to localhost in /etc/hosts The other is without this entry. The "with" session connects instantly. The "without" session takes much longer. The pauses occur during the segment of log below the line. Setting "GSSAPIAuthentication no" for this configuration (not the configuration for the proxy SSH server) causes it to take the same amount of time as when you insert a definition of the remote host DNS name in /etc/hosts ---- debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available ---- -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh-graylog.log Type: text/x-log Size: 15857 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170605/03b7a550/attachment-0002.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh-graylog-host.log Type: text/x-log Size: 15858 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170605/03b7a550/attachment-0003.bin>