topic Re: SSH very slow in Operating System - HP-UX

SSH very slow

David_246 — Mon, 14 Apr 2003 13:34:18 GMT

Hi,

I am trying to get SSH working
Currently I installed T1471AA (Version A.03.10.002), but when issuing "ssh " It is so very slow. Also scp, etc is very slow.

When using rlogin or rcp, I have no performance issue at all. It's very clear that ssh is waiting for something, Ones I entered my password evrything works on normal speed again.

I just installed this package so there might be somethin I forgot ?
Any help will be much apreciated !!

Regs David

Re: SSH very slow

Ron Cornwell — Mon, 14 Apr 2003 13:41:43 GMT

Is telnet just as slow?? It could be the DNS reverse look-up that is performed for every telnet/ssh session. Put the ip/hostname into /etc/hosts on the server with ssh of the system you are trying to connect from.

Re: SSH very slow

David_246 — Mon, 14 Apr 2003 13:48:49 GMT

Hi,

Nope everything is at normal speed. It's not DNS, it's just ssh that waits a very long time before it prompts for your password.

A "tusc" is attached.

Regs David

Re: SSH very slow

David_246 — Mon, 14 Apr 2003 13:52:53 GMT

Hhhm,
Attachment looks very bad. Retry.

Re: SSH very slow

Chris Vail — Mon, 14 Apr 2003 14:49:44 GMT

Part of your problem is that you're probably connecting between HPUX 11.0 systems or earlier. This has been addressed on this forum a couple of times, and you should be able to search and find the thread.

Basically, HPUX 11.0 and earlier has to use an executable to generate a random number as part of the key pair encryption algorhythm. Beginning with HPUX 11i and later, there is a /dev/random which significantly speeds up this process. Connecting between two 11i boxes is very fast: sub-second response time across a gigabit connection between two fast computers. If HPux 11.0 is on either side of that connection, the speed drops to 5-20 seconds to make the connection. Between 11.0 systems, and the speed drops to 20 seconds plus, even on 550Mhz systems. A lot of the speed issue is also related to the floating point speed of the system(s) you're using.

Once the initial connection is made, however, the system should be just as fast as anything else: ftp, cp, or remsh.

Chris

Re: SSH very slow

David_246 — Mon, 14 Apr 2003 15:56:46 GMT

Oh my god Chris,
This is very very unacceptable!
These documents(I am finaly able to search for forum questions) tell me that I just have to live with it that hp-ux 11.00 needs over a 20 seconds before it starts working due to a missing /dev/random/ or /dev/urandom.

I don't know but I thought it was an HP software package I downloaded. We're talking about hp-ux 11.00 here not 9.X

O my god, I am defintly NOT going to recommend to use ssh on HP-ux. Sorry but this is very disapointing.

Thanks for your advise !

Regs David

Re: SSH very slow

Chris Vail — Mon, 14 Apr 2003 18:32:10 GMT

You don't have to live with the 20 second response time. Upgrade to 11i. Thats one reason why there are later versions of O/S's. Its faster in a lot of other ways as well. We have a mixture of 11.0 and 11i systems here, and a definite time schedule to upgrade from one to the other (one that tends to slip, however).

Also, remember that this delay is ONLY during the initial connection. Once the connection is made, the speed is as for anything else. Its just a lot more secure. When my DBA's complain about this delay, I remind them that we can upgrade the OS anytime we want to.

Chris

Re: SSH very slow

Wilfred Chau_1 — Mon, 14 Apr 2003 20:36:47 GMT

We have a mix of 11.0 & 11i systems and have never experience such long delay.

Try turn off reverse lookup checking and see if it improves throughput.

What also help is by adding -v with ssh & scp and see what really it is waiting on.

Re: SSH very slow

Michael Burbury — Tue, 15 Apr 2003 04:40:32 GMT

Hi all,

I run SSH on UX 11.00 without slowness.

The trick is to configure SSH not to regenerate the key so often by editing the sshd_config file and using:

KeyRegenerationInterval 3600

Also make sure the size of the key is not too big, I use:

ServerKeyBits 768

Finally, as it will do a reverse lookup of the client connecting to SSH, you can speed up the process by caching the DNS on your HP, (see "man named").

Cheers...
(Of course, I was assuming you use OpenSSH2).

Re: SSH very slow

Michael Burbury — Tue, 15 Apr 2003 04:40:59 GMT

Re: SSH very slow

Michael Burbury — Tue, 15 Apr 2003 04:48:21 GMT

If using OpenSSH2, then:

In /opt/openssh2/etc/sshd_config, set key regeneration interval to something better than the default, I use:

KeyRegenerationInterval 3600

Also, set the key length to something a little less taxing on the system:

ServerKeyBits 768

Finally, cache your DNS on the HP system using named, so reverse lookups run faster or just use the hosts file and no DNS.

Might reduce the security a little, but at least it performs well and is a darn site more secure than telnet.

My settings are as follows:

me@myhp /opt/openssh2/etc > cat sshd_config
Port 22
HostKey /opt/openssh2/etc/ssh_host_key
HostKey /opt/openssh2/etc/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
Subsystem sftp /opt/openssh2/libexec/sftp-server

Cheers...

Re: SSH very slow

Michael Burbury — Tue, 15 Apr 2003 04:51:50 GMT

Sorry for the multiple posts, my browser has been "interesting" lately.

Re: SSH very slow

David Lodge — Tue, 15 Apr 2003 09:09:33 GMT

Also; there can be delays with using inetd - as it produces the random number each time there is a delay.

Running it as a daemon can produce some performance enhancements for initial connection.

Re: SSH very slow

Tim Maletic — Tue, 15 Apr 2003 11:18:52 GMT

This current thread
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x908a19434a69d711abdc0090277a778c,00.html
may also be relevant here. -Tim

Re: SSH very slow

David_246 — Wed, 16 Apr 2003 05:26:50 GMT

Hi Tim,

Thanks a lot for your thread, this indeed gave the solution !! I have been searching for answers but didn't came up with this one.

/opt/ssh/etc/ssh_prng_cmds

should have many entries deleted !! (I would have sworn it is an HP created package, some commands even don't excist on HP ??)

Michael, Many thanks for your assistance !! You gave me some info about a working install, although it didn't come to an answer your help is still apreciated !!

Regs David

Re: SSH very slow

HPUX admin_1 — Wed, 30 Apr 2003 13:59:49 GMT

Re: SSH very slow

Steven E. Protter — Fri, 02 May 2003 21:53:19 GMT

I just installed Secure Shell 3.5. It totally improved my connect speed issue. Now everything is instantaneous.

SEP

Re: SSH very slow

Armin Kunaschik — Wed, 07 May 2003 09:01:29 GMT

Hi there,

you wrote that installing Openssh 3.5 would fix the problem... this is right but only because the supplied ssh_prng_cmds is broken! It does not generate ANY entropy at all!
If you take a look at the file you see many entries like @PROG_LS@ which normaly should contain "/bin/ls" etc. The result is, that the commands are not found and no entropy is generated. Verify this by issueing the command /opt/ssh/libexec/ssh-rand-helper -vvv :
20166: debug1: loading PRNG seed from file //.ssh/prng_seed
20166: debug1: Seeded RNG with 3 bytes from system calls
20166: debug1: Loaded 52 entropy commands from /opt/ssh/etc/ssh_prng_cmds
20166: debug3: Reading output from 'ls -alni /var/log'
20166: debug3: Time elapsed: 1 msec
20166: debug2: Command 'ls -alni /var/log' exit status was 255
20166: debug3: Got 0.00 bytes of entropy from 'ls -alni /var/log'
20166: debug3: Reading output from 'ls -alni /var/adm'
20166: debug3: Time elapsed: 1 msec
*snip*
Every entry returns 255 (file not found)... this is far from being OK.

In addition the ssh_prng_cmds is not modified to follow HP-UX syntax of some commands, e.g. ls -alTi is not valid, ifconfig -a does not give any usable output, netstat -pn needs more options to display any "random data" etc...
HP, please fix this in all versions of openssh!
While doing this, please remove the df commands because it prevents you from logging in if the server has stale NFS mounts.

In general, to answer the first question, ssh-rand-helper -vvv is your friend if you have performance problems (and no /dev/random).

Regards,
Armin