I think, I have found a bug in the initialization of search and bind timeout values. The LPK patch sets value "0", but openssh original code expects value "-1", and therefore code at "parse_int:" does not set the value from config file. I have already sent an email (see below) to andrea (at) inversepath.com, which tells everything (I hope). It is not critical bug, so you can wait for update from author, or make your own update. =============================================================== Hi Andrea, In my network, I have SSH setup, which uses two LDAP servers. I have tried to switch off one of the server and I have found long time wait before connect on ssh server (the same delay is if the SSH server restarts). I have setup LpkBindTimelimit to 3, but I have found, it takes 10 seconds utill ldap_connect timeouts and tries the seconds server. I have read the source code and IMHO I found a bug. The problem is in reading and setting LpkBindTimelimit and LpkSearchTimelimit values from config file. In the function process_server_config_line() in file servconf.c, there is following code to read Bind timeout and Search timeout: -------------------------------------------------- case sBindTimeout: intptr = (int *) &options->lpk.b_timeout.tv_sec; goto parse_int; case sSearchTimeout: intptr = (int *) &options->lpk.s_timeout.tv_sec; goto parse_int; break; -------------------------------------------------- The code "parse_int" reads the INT value and store it (following code is from OpenSSH-4.5p1, but in OpenSSH-4.3p2 is the same code except "*activep &&" part): -------------------------------------------------- parse_int: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing integer value.", filename, linenum); value = atoi(arg); if (*activep && *intptr == -1) *intptr = value; break; -------------------------------------------------- The problem is in the codition if (*intptr==-1) *intptr=value; which sets the value only if original value is equal to -1. But in the function initialize_server_options() from the same file servconf.c, the values are set to "0". -------------------------------------------------- options->lpk.b_timeout.tv_sec = 0; options->lpk.s_timeout.tv_sec = 0; -------------------------------------------------- In this case value from config file is not set (because *intptr equals to "0", not "-1"). And later in the function fill_default_server_options() these values are set to default values (which is 10 seconds for these Timeouts). -------------------------------------------------- if (options->lpk.b_timeout.tv_sec == 0) options->lpk.b_timeout.tv_sec = _DEFAULT_LPK_BTIMEOUT; if (options->lpk.s_timeout.tv_sec == 0) options->lpk.s_timeout.tv_sec = _DEFAULT_LPK_STIMEOUT; -------------------------------------------------- I think the code should be changed to use "-1" values for uninitialized values, it means: -------------------------------------------------- options->lpk.b_timeout.tv_sec = -1; options->lpk.s_timeout.tv_sec = -1; -------------------------------------------------- and -------------------------------------------------- if (options->lpk.b_timeout.tv_sec == -1) options->lpk.b_timeout.tv_sec = _DEFAULT_LPK_BTIMEOUT; if (options->lpk.s_timeout.tv_sec == -1) options->lpk.s_timeout.tv_sec = _DEFAULT_LPK_STIMEOUT; -------------------------------------------------- I did already these changes and it looks working. It does not wait 10 seconds, but only 3 seconds. With regards Robert Wolf. Reproducible: Always Steps to Reproduce:
If you are in openssh-lpk@inversepath.com list, you know it, so for the others, answer from Andrea: ---- Hi! Thanks a lot for your detailed bug report. I'll make sure to fix this in our next release. Cheers! -- Andrea Barisani Inverse Path Ltd Chief Security Engineer -----> <-------- <andrea@inversepath.com> http://www.inversepath.com 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"
next release has come and gone