SSH DNS Reverse Lookup.
Please note that this post is relative to old deprecated software ©XSIBackup-Classic. Some facts herein contained may still be applicable to more recent versions though.
For new instalations please use new ©XSIBackup which is far more advanced than ©XSIBackup-Classic.
©XSIBackup uses key authentication to "talk" to other hosts, this is set by the --link-srv command. In some backup jobs, the key authentication can take place many times, thus, any delay can add a very significant amount of time to the backup.
The SSHD daemon controls whether reverse DNS lookups are performed before connecting to it from other hosts. If you don't use DNS or if it's not properly configured in your network, SSH connections can delay a lot, until the timeout is reached. This is a typical situation SSHing to a host, in which the password prompt takes some seconds to appear. While when not performing key authentication, this is a simple annoyance for newbies, it can take great importance when using XSIBackup.
So, you should make sure that connections to backup hosts are performed instantly, without any delay, a shorthand to check this condition is to run the following command from the ©XSIBackup installation directory:
ssh -o StrictHostKeyChecking=no -i xsibackup_id_rsa 192.168.X.Y "echo WORKING"
Where 192.168.X.Y is the IP of your remote backup host. This remote command will just echo the word "WORKING" from the remote system. It is a very basic test, you can add the -v (verbose switch) to the ssh client command to get detailed information about what's going on. Add more "v"s to increase the level of verbosity.
ssh -vvv -o StrictHostKeyChecking=no -i xsibackup_id_rsa 192.168.X.Y "echo WORKING"
To disable reverse dns lookups on incoming ssh connections (this has to obviously be set on the server side), just edit your sshd_config file, which in an ESXi host is located at /etc/ssh/sshd_config, and add the UseDNS no option.
# running from inetd
# Port 2200
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Add this option to your /etc/ssh/sshd_config file
UseDNS no
UsePrivilegeSeparation no
SyslogFacility auth
LogLevel info
PermitRootLogin yes
PrintMotd yes
PrintLastLog no
TCPKeepAlive yes
X11Forwarding no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
UsePAM yes
# only use PAM challenge-response (keyboard-interactive)
PasswordAuthentication no
Banner /etc/issue
Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server -f LOCAL5 -l INFO
AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys
# Timeout value of 10 mins. The default value of ClientAliveCountMax is 3.
# Hence, we get a 3 * 200 = 600 seconds timeout if the client has been
# unresponsive.
ClientAliveInterval 200
# sshd(8) will refuse connection attempts with a probability of �rate/100�
# (30%) if there are currently �start� (10) unauthenticated connections. The
# probability increases linearly and all connection attempts are refused if the
# number of unauthenticated connections reaches �full� (100)
MaxStartups 10:30:100
# Port 2200
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Add this option to your /etc/ssh/sshd_config file
UseDNS no
UsePrivilegeSeparation no
SyslogFacility auth
LogLevel info
PermitRootLogin yes
PrintMotd yes
PrintLastLog no
TCPKeepAlive yes
X11Forwarding no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
UsePAM yes
# only use PAM challenge-response (keyboard-interactive)
PasswordAuthentication no
Banner /etc/issue
Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server -f LOCAL5 -l INFO
AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys
# Timeout value of 10 mins. The default value of ClientAliveCountMax is 3.
# Hence, we get a 3 * 200 = 600 seconds timeout if the client has been
# unresponsive.
ClientAliveInterval 200
# sshd(8) will refuse connection attempts with a probability of �rate/100�
# (30%) if there are currently �start� (10) unauthenticated connections. The
# probability increases linearly and all connection attempts are refused if the
# number of unauthenticated connections reaches �full� (100)
MaxStartups 10:30:100
There exist other SSHD options that may delay your ssh connections. The reverse DNS lookup is, in any case, the most frequent situation. You can read this serverfault.com post to delve into the matter:
https://serverfault.com/questions/576293/sshd-tries-reverse-dns-lookups-with-usedns-no
You can find lots of posts and articles in the net deepening into this topic too.
Daniel J. Garc�a Fidalgo
33HOPS
