nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 01:48:00 +00:00
Code Issues Projects Releases Wiki Activity

Add a docs note about DNS performed by GSSAPI.

Browse Source 
I recently noticed a mysterious delay at connection startup while
using an SSH jump host, and investigated it in case it was a bug in
the new jump host code that ought to be fixed before 0.77 goes out.

strace showed that at the time of the delay PuTTY was doing a DNS
lookup for the destination host, which was hanging due to the
authoritative DNS server in question not being reachable. But that was
odd, because I'd configured it to leave DNS lookup to the proxy,
anticipating exactly that problem.

But on closer investigation, the _proxy_ code was doing exactly what
I'd told it. The DNS lookup was coming from somewhere else: namely, an
(unsuccessful) attempt to set up a GSSAPI context. The GSSAPI library
had called gethostbyname, completely separately from PuTTY's own use
of DNS.

Simple workaround for me: turn off GSSAPI, which doesn't work for that
particular SSH connection anyway, and there's no point spending 30
seconds faffing just to find that out.

But also, if that puzzled me, it's worth documenting!
This commit is contained in:
Simon Tatham 2022-02-22 18:43:53 +00:00
parent f85716be45
commit 0613ec9986
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/config.but
View File

@ -2057,6 +2057,16 @@ is a protocol extension (SOCKS 4A) which does support it, but not
all SOCKS 4 servers provide this extension. If you enable proxy DNS
and your SOCKS 4 server cannot deal with it, this might be why.
If you want to avoid PuTTY making \e{any} DNS query related to your
destination host name (for example, because your local DNS resolver is
very slow to return a negative response in that situation), then as
well as setting this control to \q{Yes}, you may also need to turn off
GSSAPI authentication and GSSAPI key exchange in SSH (see
\k{config-ssh-auth-gssapi} and \k{config-ssh-gssapi-kex}
respectively). This is because GSSAPI setup also involves a DNS query
for the destination host name, and that query is performed by the
separate GSSAPI library, so PuTTY can't override or reconfigure it.
\S{config-proxy-auth} \I{proxy username}Username and \I{proxy password}password
If your proxy requires \I{proxy authentication}authentication, you can