Logins to OpenSSH server slow due to "UseDNS yes" config
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
When logging in to my Ubuntu 8.04 Server edition server via SSH (client PuTTY), logins take exactly 20 seconds from the time the username is entered and the time the password request appears.
The problem is caused by the "UseDNS yes" config parameter. When it is changed to "UseDNS no", the server logs in instantly.
The cause of the problem is that the server is in a network that does not have a DHCP server to store client hostnames, and thus, when requesting the hostname, it waits for the request to timeout. When the same server is put on a network with a DHCP server, the logins are instantaneous as well.
Another workaround is to put the client's hostname and IP address in /etc/hosts.
This bug has similar symptoms to https:/
I would disable UseDNS permanently, but I am skiddish because it sounds like a security feature. Unfortunately, it seems worthless; when I put the client's hostname and the WRONG IP address in /etc/hosts, the connection still is successful (after a 20 second delay). That poses the question: what is the point of UseDNS?
In bug 84899, someone suggests changing /etc/nsswitch.conf, but my configuration was already like the recommended fix.
All config files are at their defaults.
To Reproduce:
Install Ubuntu Server 8.04
`apt-get install openssh-server`
Put machine on non-DHCP network
Connect to machine's IP
`lsb_release -rd`
Description: Ubuntu 8.04.3 LTS
Release: 8.04
`apt-cache policy openssh-server1
Installed: 1:4.7p1-8ubuntu1.2
Changed in openssh (Ubuntu): | |
status: | Incomplete → Confirmed |
After reading more about UseDNS, the more pertinent issue is what is the point of it at all if a false IP for the hostname is still accepted as a valid connection.
Also, why is there no setting to make it timeout after a certain number of seconds (aka, what if the DNS request didn't time out for a minute, as some on the web are finding)? There should be a setting to force a DNS timeout.