Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'A script to workaround slow ssh connection issues' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A script to workaround slow ssh connection issues
Authored by: Iceberg on Dec 28, '07 11:03:46AM
Like many, I've had the same issue for a long time. After much digging and network sniffing, I found out that the ssh client on Mac OS X (Tiger and up, at least) performs a DNS lookup for the SRV record of the host you are connecting to.

SRV records essentially specify the port on which a service runs, and are seldom used.

For example, when I was connecting to a host named "server1.domain.local", an SRV record lookup was made for the following domain name:

_ssh._tcp.server1.domain.local

Since there was no such SRV record, there was a slight delay before the client (presumably) fell back to another method. So I simply added the following record in the local DNS server's appropriate zone file:

_ssh._tcp.server1 IN SRV 0 100 22 server1

And voilĂ ! No more delays.

Granted, not everyone runs a local DNS server, but this should help some of you.

[ Reply to This | # ]

A script to workaround slow ssh connection issues
Authored by: sweth on Dec 29, '07 05:57:10AM
You shouldn't be seeing the SRV behaviour in Tiger, just Leopard. For those who care about the details, here's the explanation I sent to someone on a local sysadmin mailing list when they were running into ssh delays right after Leopard was released:

Assuming you are referring to problems when ssh-ing from a Leopard box to other systems, then the problem is probably the new behavior of the getaddrinfo() call in Leopard. Basically, that call in Leopard now uses the RFC-recommended practice of first issuing a DNS SRV record request rather than an A record request, and then falling back to the A record request if the SRV request fails; unfortunately, apparently a lot of DNS servers don't respond to the SRV request w/ an NXDOMAIN as they should, and instead just drop the request, so getaddrinfo() retries the SRV request a few times, and only after those requests time out does it try to A request. (I've heard reports that Leopard may generate DNS requests w/ an invalid RR type, which might explain why the servers being queried aren't responding to them correctly.) So if ssh is using getaddrinfo() rather than gethostbyname/getservbyname, then it would hang like you describe whenever you are pointing to a DNS server that doesn't respond well to the SRV request.

The easiest way to check if that's your problem would be to sniff traffic on port 53 while trying an ssh connection, and seeing if your box is making a SRV request or an A request.

(The DNS-SRV RFC explicitly notes that services whose protocol spec doesn't explicitly discuss using SRV should NOT use SRV, but I believe that LDAP is one of the few services that does discuss using it (and SRV was, I think, originally created by Microsoft folks to support LDAP stuff), so someone apparently compiled ssh in Leopard to use getaddrinfo for the LDAP auth lookup--and apparently was too lazy to put in logic to ONLY use getaddrinfo for an LDAP auth host lookup, and not for non-LDAP auth lookups and/or the actual ssh host lookup.)

AFAIK the only fix is to recompile SSH or to pre-empt the SRV lookup as this hint describes.



[ Reply to This | # ]
A script to workaround slow ssh connection issues
Authored by: cran on Jan 06, '08 07:35:15AM

Thanks for pointing this out. It seems like a resonable explanation.

Now the harder part is to convince our DNS admins to put this record into the DNS configuration for hundreds of servers.



[ Reply to This | # ]