Jorge Cleber Teixeira de Almeida Junior
2002-Jun-11 14:14 UTC
RES: OpenSSH with slow login
I gueess it is not a DNS problem, because either using name or IP, I have always the problem. I guess the problem is that I am using ssh on inetd.conf (sshd -i), so It has to generate a key each time I start a session. What do you think ? -----Mensagem original----- De: Dan Kaminsky [mailto:dan at doxpara.com] Enviada em: segunda-feira, 10 de junho de 2002 20:51 Para: Jorge Cleber Teixeira de Almeida Junior; openssh-unix-dev at mindrot.org Assunto: Re: OpenSSH with slow login Last I checked, there are DNS dependancies that need to be scrubbed out with extreme prejudice. DNS lookups block. And no, we can't blame security, because we can't trust DNS for security decisions :-) --Dan ----- Original Message ----- From: "Jorge Cleber Teixeira de Almeida Junior" <cleber.junior at atl.com.br> To: <openssh-unix-dev at mindrot.org> Sent: Monday, June 10, 2002 3:43 PM Subject: OpenSSH with slow login Hi, I have installed Openssh on a HP-UX 11.00 and I am having a problem. It lasts 5 minutes to login, after I enter my login and password. I try to connect from a Windows machine having a Tera Term SSH client to the HP UX with the OpenSSH server ? Why does it take so long time (5 minutes) to establish a connection from a remote machine to this openssh server ? When I do Telnet to the same machine, it takes just 3 seconds !! I installed the following: - ZLIB 1.1.4 http://gatekeep.cs.utah.edu/ftp/hpux/Misc/zlib-1.1.4/zlib-1.1.4-sd-11.00.dep ot.gz - Openssl-0.9.6 http://gatekeep.cs.utah.edu/ftp/hpux/Languages/openssl-0.9.6/openssl-0.9.6-s d-11.00.depot.gz - Openssh 3.1p1 http://gatekeep.cs.utah.edu/ftp/hpux/Networking/Admin/openssh-3.1p1/openssh- 3.1p1-sd-11.00.depot.gz After this installation, I did the following steps: 1- cd /opt/openssh2/bin ; chmod 4711 ssh 2- cd /opt/openssh2/etc mv moduli.out moduli mv ssh_config.out ssh_config mv ssh_prng_cmds.out ssh_prng_cmds mv sshd_config.out sshd_config 3- Generate the keys : cd /opt/openssh2/bin ./ssh-keygen -t rsa1 -f /opt/openssh2/etc/ssh_host_key -N "" ./ssh-keygen -t dsa -f /opt/openssh2/etc/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f /opt/openssh2/etc/ssh_host_rsa_key -N "" Can anyone help me ? regards, Jorge Cleber JUNIOR ===================================================================O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. =================================================================== _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev ===================================================================O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ====================================================================
Jorge Cleber Teixeira de Almeida Junior
2002-Jun-11 14:17 UTC
RES: OpenSSH with slow login
If it is a DNS problema, how can I solve this problem ? -----Mensagem original----- De: Kevin Steves [mailto:kevin at atomicgears.com] Enviada em: segunda-feira, 10 de junho de 2002 20:39 Para: Jorge Cleber Teixeira de Almeida Junior Cc: 'openssh-unix-dev at mindrot.org'; stevesk at pobox.com Assunto: Re: OpenSSH with slow login On Mon, Jun 10, 2002 at 07:43:51PM -0300, Jorge Cleber Teixeira de Almeida Junior wrote:> I have installed Openssh on a HP-UX 11.00 and I am having a problem. It > lasts 5 minutes to login, after I enter my login and password. > I try to connect from a Windows machine having a Tera Term SSH client tothe> HP UX with the OpenSSH server ? > > Why does it take so long time (5 minutes) to establish a connection from a > remote machine to this openssh server ? > When I do Telnet to the same machine, it takes just 3 seconds !!run sshd -ddd to see where it pauses. also look at the sshd -u option. my guess is DNS delays for reverse mapping. ===================================================================O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ====================================================================
Hi! On Tue, Jun 11, 2002 at 11:14:18AM -0300, Jorge Cleber Teixeira de Almeida Junior wrote:> I gueess it is not a DNS problem, because either using name or > IP, I have always the problem.The problem is not on the client side, but on the server side. The server tries to reverse lookup the hostname for the IP that connects after a successful login, to write an utmp entry. Thus, it doesn't make a difference whether you use the server's IP address or hostname on the commandline. Instead, make sure that the server's got a correct resolv.conf (i.e. one that lists nameservers which are actually reachable) or disable DNS based host lookups completely by altering nsswitch.conf (if supported by your system) accordingly. As others have already pointed out, another method to just prevent sshd from using reverse DNS lookups is by passing -u0 on startup (see man sshd for details and restrictions). Maybe this should become an option for sshd_config? But nevertheless, you should check your server's resolv.conf for unreachable nameserver entries. Nameserver timeouts take forever ... Ciao Thomas
Jorge-- The SSHD does a reverse lookup on your IP. If the lookup blocks, so does the attempt to log in. Big ol' problem whenever the network goes down and you're trying to SSH into some host on your subnet. This problem has been around forever... --Dan ----- Original Message ----- From: "Jorge Cleber Teixeira de Almeida Junior" <cleber.junior at atl.com.br> To: <openssh-unix-dev at mindrot.org> Sent: Tuesday, June 11, 2002 7:14 AM Subject: RES: OpenSSH with slow login I gueess it is not a DNS problem, because either using name or IP, I have always the problem. I guess the problem is that I am using ssh on inetd.conf (sshd -i), so It has to generate a key each time I start a session. What do you think ? -----Mensagem original----- De: Dan Kaminsky [mailto:dan at doxpara.com] Enviada em: segunda-feira, 10 de junho de 2002 20:51 Para: Jorge Cleber Teixeira de Almeida Junior; openssh-unix-dev at mindrot.org Assunto: Re: OpenSSH with slow login Last I checked, there are DNS dependancies that need to be scrubbed out with extreme prejudice. DNS lookups block. And no, we can't blame security, because we can't trust DNS for security decisions :-) --Dan ----- Original Message ----- From: "Jorge Cleber Teixeira de Almeida Junior" <cleber.junior at atl.com.br> To: <openssh-unix-dev at mindrot.org> Sent: Monday, June 10, 2002 3:43 PM Subject: OpenSSH with slow login Hi, I have installed Openssh on a HP-UX 11.00 and I am having a problem. It lasts 5 minutes to login, after I enter my login and password. I try to connect from a Windows machine having a Tera Term SSH client to the HP UX with the OpenSSH server ? Why does it take so long time (5 minutes) to establish a connection from a remote machine to this openssh server ? When I do Telnet to the same machine, it takes just 3 seconds !! I installed the following: - ZLIB 1.1.4 http://gatekeep.cs.utah.edu/ftp/hpux/Misc/zlib-1.1.4/zlib-1.1.4-sd-11.00.dep ot.gz - Openssl-0.9.6 http://gatekeep.cs.utah.edu/ftp/hpux/Languages/openssl-0.9.6/openssl-0.9.6-s d-11.00.depot.gz - Openssh 3.1p1 http://gatekeep.cs.utah.edu/ftp/hpux/Networking/Admin/openssh-3.1p1/openssh- 3.1p1-sd-11.00.depot.gz After this installation, I did the following steps: 1- cd /opt/openssh2/bin ; chmod 4711 ssh 2- cd /opt/openssh2/etc mv moduli.out moduli mv ssh_config.out ssh_config mv ssh_prng_cmds.out ssh_prng_cmds mv sshd_config.out sshd_config 3- Generate the keys : cd /opt/openssh2/bin ./ssh-keygen -t rsa1 -f /opt/openssh2/etc/ssh_host_key -N "" ./ssh-keygen -t dsa -f /opt/openssh2/etc/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f /opt/openssh2/etc/ssh_host_rsa_key -N "" Can anyone help me ? regards, Jorge Cleber JUNIOR ===================================================================O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. =================================================================== _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev ===================================================================O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. =================================================================== _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev