SSH 'hangs' during authentication

17/06/2007, 16h40

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm having some issues with ssh taking about ~12 seconds to connect -
but the ssh session itself is snappy - no lag at all. The load average
on the remote host is fine, and both local and remote DNS queries work
like they should. The problem is there wether I use publickey or
keyboard-interactive auth.

Anyone have any suggestions? :-)

This is using ssh -vvv host:
[ .. snip .. ]
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1
debug2: fd 3 setting O_NONBLOCK
# HANGS FOR A WHILE HERE!
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
A parameter was malformed
Validation error

# HANGS FOR A WHILE HERE!
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: SSH2_MSG_KEXINIT sent
[ .. snip .. ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGdUjkwqQbW3my7pcRAv4XAKCtTqVhHFt13d8ylUCgts u7ppNc1wCfZVoY
DFJ17iHcqEmbZcNXr4Xr+wk=
=pgra
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

17/06/2007, 17h30

On 2007-06-17T16:44:52+0200, "Jørgen P. Tjernø" wrote:
> I'm having some issues with ssh taking about ~12 seconds to connect -
> but the ssh session itself is snappy - no lag at all.

[...]

> Anyone have any suggestions? :-)

It probably trying to do a forward or reverse DNS lookup. Does it make
a difference if you use an IP address intead of a hostname?

/Allan

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

17/06/2007, 19h00

On Sun, Jun 17, 2007 at 12:12:46 -0400, Allan Wind wrote:
> On 2007-06-17T16:44:52+0200, "Jørgen P. Tjernø" wrote:
> > I'm having some issues with ssh taking about ~12 seconds to connect -
> > but the ssh session itself is snappy - no lag at all.
>
> [...]
>
> > Anyone have any suggestions? :-)
>
> It probably trying to do a forward or reverse DNS lookup. Does it make
> a difference if you use an IP address intead of a hostname?

It might also to use

ssh -o 'GSSAPIAuthentication no' ...

on the client

and/or to add

UseDNS no

to /etc/ssh/sshd_config on the server. (I think the ssh daemon has to be
restarted for this to take effect.)

I had to do both these things to get rid of the initial delay for ssh
connections between my current desktop computer and my laptop. As far as
I can tell, this is because the two systems are on two separate internal
networks which do not offer full (reverse) DNS support for their
internal IP addresses. Maybe something similar is the case with you.

You can of course also put the "GSSAPIAuthentication no" option into
your ~/.ssh/config on the client.

--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |

17/06/2007, 21h40

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Kulzer wrote:
> On Sun, Jun 17, 2007 at 12:12:46 -0400, Allan Wind wrote:
>> On 2007-06-17T16:44:52+0200, "Jørgen P. Tjernø" wrote:
>>> I'm having some issues with ssh taking about ~12 seconds to connect -
>>> but the ssh session itself is snappy - no lag at all.
>> [...]
>>
>>> Anyone have any suggestions? :-)
>> It probably trying to do a forward or reverse DNS lookup. Does it make
>> a difference if you use an IP address intead of a hostname?
>
> It might also to use
>
> ssh -o 'GSSAPIAuthentication no' ...
>
> on the client
>
> and/or to add
>
> UseDNS no
>
> to /etc/ssh/sshd_config on the server. (I think the ssh daemon has to be
> restarted for this to take effect.)
>
> You can of course also put the "GSSAPIAuthentication no" option into
> your ~/.ssh/config on the client.

The DNS names shouldn't resolve from outside, but I do use an IP to
connect to it (i.e. the hostname of the remote host is a local hostname
that doesn't resolve on my end, and vice versa).
UseDNS no didn't make any difference, but disabling GSSAPI on the client
made it quite snappy again. I wonder why GSSAPI slows it down so, :-)

Thanks a lot for your , both of you!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGdYvuwqQbW3my7pcRAiaeAJ41WXlivKPc684BEzmrSI lOnpR7twCfWkmZ
RrmC14IwrG0Fqee8dA+1irs=
=h2pQ
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

17/06/2007, 16h40	#1
Jørgen P. Tjernø Messages: n/a Hébergeur:	SSH 'hangs' during authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm having some issues with ssh taking about ~12 seconds to connect - but the ssh session itself is snappy - no lag at all. The load average on the remote host is fine, and both local and remote DNS queries work like they should. The problem is there wether I use publickey or keyboard-interactive auth. Anyone have any suggestions? :-) This is using ssh -vvv host: [ .. snip .. ] debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1 debug2: fd 3 setting O_NONBLOCK # HANGS FOR A WHILE HERE! debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied A parameter was malformed Validation error # HANGS FOR A WHILE HERE! debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied A parameter was malformed Validation error debug1: SSH2_MSG_KEXINIT sent [ .. snip .. ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGdUjkwqQbW3my7pcRAv4XAKCtTqVhHFt13d8ylUCgts u7ppNc1wCfZVoY DFJ17iHcqEmbZcNXr4Xr+wk= =pgra -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

17/06/2007, 17h30	#2
Allan Wind Messages: n/a Hébergeur:	Re: SSH 'hangs' during authentication On 2007-06-17T16:44:52+0200, "Jørgen P. Tjernø" wrote: > I'm having some issues with ssh taking about ~12 seconds to connect - > but the ssh session itself is snappy - no lag at all. [...] > Anyone have any suggestions? :-) It probably trying to do a forward or reverse DNS lookup. Does it make a difference if you use an IP address intead of a hostname? /Allan -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

17/06/2007, 19h00	#3
Florian Kulzer Messages: n/a Hébergeur:	Re: SSH 'hangs' during authentication On Sun, Jun 17, 2007 at 12:12:46 -0400, Allan Wind wrote: > On 2007-06-17T16:44:52+0200, "Jørgen P. Tjernø" wrote: > > I'm having some issues with ssh taking about ~12 seconds to connect - > > but the ssh session itself is snappy - no lag at all. > > [...] > > > Anyone have any suggestions? :-) > > It probably trying to do a forward or reverse DNS lookup. Does it make > a difference if you use an IP address intead of a hostname? It might also to use ssh -o 'GSSAPIAuthentication no' ... on the client and/or to add UseDNS no to /etc/ssh/sshd_config on the server. (I think the ssh daemon has to be restarted for this to take effect.) I had to do both these things to get rid of the initial delay for ssh connections between my current desktop computer and my laptop. As far as I can tell, this is because the two systems are on two separate internal networks which do not offer full (reverse) DNS support for their internal IP addresses. Maybe something similar is the case with you. You can of course also put the "GSSAPIAuthentication no" option into your ~/.ssh/config on the client. -- Regards, \| http://users.icfo.es/Florian.Kulzer Florian \|

17/06/2007, 21h40	#4
Jørgen P. Tjernø Messages: n/a Hébergeur:	Re: SSH 'hangs' during authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Kulzer wrote: > On Sun, Jun 17, 2007 at 12:12:46 -0400, Allan Wind wrote: >> On 2007-06-17T16:44:52+0200, "Jørgen P. Tjernø" wrote: >>> I'm having some issues with ssh taking about ~12 seconds to connect - >>> but the ssh session itself is snappy - no lag at all. >> [...] >> >>> Anyone have any suggestions? :-) >> It probably trying to do a forward or reverse DNS lookup. Does it make >> a difference if you use an IP address intead of a hostname? > > It might also to use > > ssh -o 'GSSAPIAuthentication no' ... > > on the client > > and/or to add > > UseDNS no > > to /etc/ssh/sshd_config on the server. (I think the ssh daemon has to be > restarted for this to take effect.) > > You can of course also put the "GSSAPIAuthentication no" option into > your ~/.ssh/config on the client. The DNS names shouldn't resolve from outside, but I do use an IP to connect to it (i.e. the hostname of the remote host is a local hostname that doesn't resolve on my end, and vice versa). UseDNS no didn't make any difference, but disabling GSSAPI on the client made it quite snappy again. I wonder why GSSAPI slows it down so, :-) Thanks a lot for your , both of you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGdYvuwqQbW3my7pcRAiaeAJ41WXlivKPc684BEzmrSI lOnpR7twCfWkmZ RrmC14IwrG0Fqee8dA+1irs= =h2pQ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email