[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] VM slow after being unused for a while


  • To: Itamar Reis Peixoto <itamar@xxxxxxxxxxxxxxxx>
  • From: Nico Kadel-Garcia <nkadel@xxxxxxxxx>
  • Date: Sat, 12 May 2007 09:15:45 +0100
  • Cc: Nasse Gris <nassegris@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Sat, 12 May 2007 01:11:56 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=bjwlTToDigDZTqVfrsUWLX8W6LIiCLCAT8pMUEp1i/gHDXisoW7r+G1RRibkfECVY5T2ZxYrEc5XrIKjakQhvWXSINb8iL7i0t2Tiw/O0CP3GocegvSAvx3EuJmSNnmv0Tbz4FsCGZimDFkEU6K3ozf328APz4K1m90KiUM97go=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Itamar Reis Peixoto wrote:
try to edit /etc/ssh/sshd_config
and change UseDNS to NO restart ssh server -------------------- Itamar Reis Peixoto
Unfortunately, that argument doesn't do what you think it does. And it confuses a lot of people!

Here's the situation at least up through OpenSSH 3.9p1.

OpenSSH, for logging purposes, does a reverse DNS on any contacting IP address. The UseDNS option says whether to verify that the reverse DNS matches a valid forward DNS for that host. But disabling UseDNS does *NOT, NOT, NOT* turn off the reverse DNS lookup! Any number of us have submitted patches for this over the years: I submitted some when I dealt with large remotely deployed networks. (When you manage thousands of machines deployed in data centers all over the world, you can be absolutely certain a lot of them will not have valid reverse DNS, or even have DNS working properly, and you need to be able to log in quickly in a crunch.)

The option you need is in your sshd init script. You need to use the additional options "-u 0", to set the namelength of the recorded DNS entry to 0 so that the reverse DNS isn't actually done. (Why the SSH authors think setting an arglength to 0 should cause undocumented behavior and not throw an error, instead of obeying the UseDNS option in the configuraton file more correctly, I leave to people who think the "chroot" option of OpenSSH actually means a chroot cage for SSH users to protect them from accessing the filesystem outside their home directory. It doesn.t.)

I like OpenSSH, I use it a lot, but I've disagreed volubly with the authors on a few points over the years. This is one of them.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.