Ever wondered why sometimes it takes an awful lot of time for the password prompt to show up when trying to SSH into a system running OpenSSH on the local network? I have. And I have always suspected it must have something to do with DNS resolution.
It turns out there is a setting in OpenSSH that controls whether SSHd should not only resolve remote host names but also check whether the resolved host names map back to remote IPs. Apparently, that setting is enabled by default in OpenSSH. The directive UseDNS controls this particular behaviour of OpenSSH, and while it is commented in sshd_config (which is the default configuration file for the OpenSSH daemon in most enviornments), as per the man page for sshd_config, the default for UseDNS is set to enabled. Uncommenting the line carrying the UseDNS directive and setting it to “no” disables the feature.
ddouthitt
6 February, 2008
This is a three-minute delay that is the time it takes for DNS to timeout. This three-minute delay shows up all over the place:
Cisco IOS
Squid cache
Postfix / Sendmail
FTP servers
PPP clients
So keep a sharp lookout for DNS failures.
ayaz
6 February, 2008
In case of OpenSSH, the DNS resolution feature is merely a small overhead to check whether the resolved IP maps back to the same hostname. In this case, it takes nearly from 30 seconds to 60 seconds to timeout. Also, I tend to keep the LoginGraceTime set to one minute or less on OpenSSH, and that tends to create problems at times.
Uki
8 January, 2011
I have strange problem with openssh on my Debian Lenny system. It stops to work after some time making me unable to connect to remote machine. When I nmap it in those situations I get tcpwrapped for ssh port. I think it is somehow connected with reverse DNS resolving. When I try to connect via ssh with -vv options I get chek_ident -1 . This is very annoying problem as I need to pay guy to go to servers and reboot them… DO you have any idea why is this happening ?