topic Re: What is the Fastest Authentication Protocols for SSH in Operating System - HP-UX

What is the Fastest Authentication Protocols for SSH

Shah Sahib — Thu, 13 Dec 2007 19:31:08 GMT

Ok experts, sorry if I did not word my subject line correctly but we are having problems with SSH login hanging for long time. We want to see if we can use some other authentication protocol other than PAM or Kerberos.

Ok, I am not a security expert so dont flame me, just let me know what should we use for light security as most of the connections pass encrypted data from remote programmes and batch jobs etc, so we dont need to double encrypt, I am thinking this is the problem, sorry for not providing more info, but let me know what the consensus is.

TIA

Re: What is the Fastest Authentication Protocols for SSH

Ivan Krastev — Thu, 13 Dec 2007 19:52:10 GMT

Check your DNS resolvin. This is a commong issue with slow logins via ssh.

Disable dns in sshd_config:

UseDNS no

regards,
ivan

Re: What is the Fastest Authentication Protocols for SSH

Patrick Wallek — Thu, 13 Dec 2007 19:52:41 GMT

What version of HP-UX are you running? Are you running some sort of random number generator?

For HP-UX 11.11 (11i v1) and higher you can install the KRNG (Kernel random number generator) package and that helps authentication speed immensely.

Re: What is the Fastest Authentication Protocols for SSH

Dave Hutton — Thu, 13 Dec 2007 20:09:30 GMT

Kind of a long what Patrick was saying. I know for 10.20 -> 11.00 the larger your /var/adm/wtmp and btmp files get the longer it takes for your connection to go. If you are running the older versions of OS you could try to zero out those files and try it.

Re: What is the Fastest Authentication Protocols for SSH

Shah Sahib — Thu, 13 Dec 2007 20:50:42 GMT

Guys we are running HPUX 11.23 on a ia64 box, with Secure_Shell A.04.10.005, i dont see a RNG installed...the DNS is fine.

Will look into btmp and wtmp cleanup.
thanks

Re: What is the Fastest Authentication Protocols for SSH

TwoProc — Thu, 13 Dec 2007 21:18:46 GMT

Just for giggles add the ip address of whatever developer's machine is slow to login from into the /etc/hosts file. Retry the ssh login - if it's now fast, then it's dns speed issues.
I saw recently a suggestion to speed this up, and it was to make your machine a downstream end-level dns resolver, that way you'll have all that stuff cached up and close by on your own server, and you won't have to wait for a resolution... or you can just add developer's IP addresses to your /etc/hosts file - doesn't hurt anything...

Re: What is the Fastest Authentication Protocols for SSH

IT_2007 — Thu, 13 Dec 2007 21:24:46 GMT

post your /etc/nsswitch.conf file

also post sshd_conf file.

so that we can verify.

Re: What is the Fastest Authentication Protocols for SSH

skt_skt — Fri, 14 Dec 2007 03:30:11 GMT

is the login working fast through telnet?

Then update sshd_config as below,

UsePrivilegeSeparation no
#Compression yes

Re: What is the Fastest Authentication Protocols for SSH

Shah Sahib — Fri, 14 Dec 2007 13:09:18 GMT

I will respond to other questions, but here is the nsswitch.conf file

Re: What is the Fastest Authentication Protocols for SSH

Shah Sahib — Fri, 14 Dec 2007 14:06:30 GMT

I shared all the responses from this forum with our team here and they were all very good, my immediate question is (Patrick?) how do i find out what version RNG we are using? Is it integrated into some product? any detail on that is helpful, and twoproc we cant use the hosts file as we have dns and ldap setup but yes that would be good for testing and we will if all else fails, Dave yes I will clean up the wtmp and btmp soon as someone in the meeting agrees with you on that, Santosh thanks I verified it was already set to what you recommend.

Re: What is the Fastest Authentication Protocols for SSH

Shah Sahib — Fri, 14 Dec 2007 18:36:24 GMT

I did a ssh -vvv verbose login on the server and noticed the line

:RNG is ready, skipping seeding
:sh_connect: needpriv 0

does this mean anything?

Re: What is the Fastest Authentication Protocols for SSH

skt_skt — Fri, 14 Dec 2007 19:46:13 GMT

the delay is expeted if the wtmp is too big; Compare the size with other machine (is it really bigger).

Here is the procedure to do that..(tested)

1. Ensure that the wtmp file is not corrupt by running a last on your user id:

# last ` who am i `

2. Convert the wtmp file to ascii into a file system that has sufficient space:

# cat /var/adm/wtmp | /usr/sbin/acct/fwtmp > /tmp/ascii_wtmp

3. Determine the number of lines in the ascii file, take 10% of that value, and subtract that from total number of lines:

# lines=`cat /tmp/ascii_wtmp | wc -l`;lines2=`expr $lines / 10`; export lines3=`expr $lines - $lines2`;echo $lines3

4. Start the ascii file from the line number given as output from the above command:

# awk ' ( NR > '$lines3' ) ' /tmp/ascii_wtmp > /tmp/ascii_wtmp2

5. Convert the trimmed ascii file back to binary in place of the original wtmp:

# cat /tmp/ascii_wtmp2 | /usr/sbin/acct/fwtmp -ic > /var/adm/wtmp

6. Verify that the operation was successful

# ll /var/adm/wtmp

# last ` who am i `

Re: What is the Fastest Authentication Protocols for SSH

Shah Sahib — Fri, 14 Dec 2007 20:05:20 GMT

I just blew away the wtmp file, we dont need wtmp or btmp as it is a security risk anyways. I will monitor if the login improved.

But i notice we also have a file "wtmps" in the same dir as wtmp and it is large over 78mb..what is that?

Secondly, since we are on 11.23 so we should have a Random Number Generator built in, but my question is how do i know its running or being used? thanks

Re: What is the Fastest Authentication Protocols for SSH

Dave Hutton — Mon, 17 Dec 2007 15:02:27 GMT

I know you posted ssh -vvv and connected. You could also try running the sshd deamon in debug. sshd -ddd I've only messed with it a little when I was having issues, it seems like its only good for 1 session. (I couldn't figure out to allow it to have more then 1, but didn't spend much time on it)

So at least you could watch the origination and destinations and see where it gets hung up.

I've never had any issues with speed on 11.11 or newer. I only mention the wtmp/btmp because we do have some old 11.00 servers that when those files grow it tends to slow things down. I'm assuming it uses those files to randomly seed your connections. But if it helps great. I would just be surprised if it did.

Re: What is the Fastest Authentication Protocols for SSH

skt_skt — Mon, 17 Dec 2007 20:50:29 GMT

Secondly, since we are on 11.23 so we should have a Random Number Generator built in, but my question is how do i know its running or being used?

watch the screen (RNG is ready, skipping seeding)

#tusc -Eeaf -p -v -rall -wall -vall -T '' -o /tmp/ssh_tusc.txt ssh -vvv root@localhost

Re: What is the Fastest Authentication Protocols for SSH

Shah Sahib — Tue, 18 Dec 2007 20:23:56 GMT

Thanks Santhosh, tusc seems to be a good tool, we dont have it yet but will look into it.

Re: What is the Fastest Authentication Protocols for SSH

Shah Sahib — Wed, 02 Jan 2008 15:46:24 GMT

thanks to all.