HPE Community
Operating System - HP-UX
1752800 Members
5873 Online
108789 Solutions
New Discussion юеВ

Re: SSH Authentification very slow on HPUX 11.31

 
PatRoy
Regular Advisor

тАО02-19-2009 11:52 AM

тАО02-19-2009 11:52 AM

Re: SSH Authentification very slow on HPUX 11.31

OldSchool, also thought that would of been it. But it was already on "Password Only" authentication. Doesn't work. It's not the same thing has Keyboard-Interactive...

I've just tried out another SSH Client for Windows called SftpDrive. Here's a screenshot clearly showing the 2 options...

Thanks again.
0 Kudos
Reply
PatRoy
Regular Advisor

тАО02-24-2009 11:57 AM

тАО02-24-2009 11:57 AM

Re: SSH Authentification very slow on HPUX 11.31

Turns out I had to set the following in sshd_config:

KerberosAuthentication no

That way, it's fast. I still don't get it. We're not using Kerberos in any way. The following configs are the same (from good to bad server):

- pam.conf
- pam.krb5
- sshd_config
- nsswitch.conf
and I probably checked some others... but don't recall... checked so many things...

Any clues why? Missing patch perhaps? Kernel config??

Thanks again. Pat
0 Kudos
Reply
Tingli
Esteemed Contributor

тАО02-24-2009 03:01 PM

тАО02-24-2009 03:01 PM

Re: SSH Authentification very slow on HPUX 11.31

Check /var/adm/syslog/syslog.log, there might be some clue about it.
0 Kudos
Reply
PatRoy
Regular Advisor

тАО02-25-2009 08:23 AM

тАО02-25-2009 08:23 AM

Re: SSH Authentification very slow on HPUX 11.31

The logs, unfortunately, don't seem to be telling me anything useful. All I could get from syslog.log is something like:

Feb 25 09:14:01 blux5 sshd[4061]: SSH: Server;Ltype: Version;Remote: 192.168.87.132-3870;Protocol: 2.0;Client: PuTTY_Release_0.60

Feb 25 09:16:01 blux5 sshd[4061]: Accepted password for root from 192.168.87.132 port 3870 ssh2

However, just noticed... the delay to get in seems to be *always* exactly 2 minutes. It's some kind of timeout... but where? I don't know.. :(
0 Kudos
Reply
Mike Culbertson
New Member

тАО02-25-2009 08:31 AM

тАО02-25-2009 08:31 AM

Re: SSH Authentification very slow on HPUX 11.31

I can confirm to some extent that the 5.1 binary is borked. It is not any of the usual suspects in our case; name resolution is fine, NFS is fine, and there are ~200 other (non-hpux) machines using the same services with no issue.

In our case, with KerberosAthentication enabled or disabled (kerberos works fine, actually), a login or command execution takes 100-120 seconds. Inexplicably, root login is fast though login for other local users is still slow. Truss-ing the sshd process yields nothing that would obviously account for this.

I downgraded to 5.0 and suddenly all is fixed. Login is fast, krb5/GSSAPI login works fine, no obvious issues anywhere.

HP should probably take down that build, it clearly has some problems...
0 Kudos
Reply
PatRoy
Regular Advisor

тАО02-25-2009 08:37 AM

тАО02-25-2009 08:37 AM

Re: SSH Authentification very slow on HPUX 11.31

I'd like to try a downgrade... Where can I get the 5.0 version? I tried:

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

But can't see it there... Can you tell me where? Thanks so much.

Pat.
0 Kudos
Reply
Mike Culbertson
New Member

тАО02-25-2009 09:11 AM

тАО02-25-2009 09:11 AM

Re: SSH Authentification very slow on HPUX 11.31

That's a great question... I don't know. I happened to have the packages from our previous upgrade still laying around, but I was not able to find them online.

There is a non-kerberized package available here: http://hpux.cs.utah.edu/ and openssh does build pretty easily with kerberos enabled (krb5 complicates things quite a bit).

If anyone knows if/where previous versions are available, it would really be helpful; I had to downgrade my 11.11 boxes all the way to 4.1 because it was the only other package I had available.
0 Kudos
Reply
Billa-User
Regular Advisor

тАО06-02-2009 09:42 PM

тАО06-02-2009 09:42 PM

Re: SSH Authentification very slow on HPUX 11.31

hello,
this thread was very helpful for us.
i rolled out SecureShell A.05.10.X on our HPUX 11.23 / 11.31 servers (after testing a few weeks on some test and production server). On one HPUX 11.31 server we use SecureShell extremely intensive, after the installation it wasn't possible to login with SSH in a acceptable time. one SSH process use about 60 % of a CPU ! the solution to solve the problem:

Purge /var/adm/wtmp and /var/adm/wtmps.
/var/adm/wtmps had about 500 MB ! (yes we will reorganize it in the future)

also in the installation description for A.05.10.X is no prerequisite. but there is a prerequisite : OpenSSL A.00.09.8j !!! SSH doesn't work on HPUX 11.31 with a older version => Fatal Error.

Be careful with SecureShell A.05.10.X
0 Kudos
Reply
PatRoy
Regular Advisor

тАО06-03-2009 05:10 AM

тАО06-03-2009 05:10 AM

Re: SSH Authentification very slow on HPUX 11.31

Thanks Billa.

If I recall right, it turns out I had to set 'KerberosAuthentication = no' in sshd_config of my problematic server to resolve this. I know, it's more of a patch then a real fix, but at the time, since we aren't using Kerberos, figured it did the trick...

Cheers!
P.
0 Kudos
Reply
Sven Bergmann
Frequent Advisor

тАО08-10-2009 06:46 AM

тАО08-10-2009 06:46 AM

Re: SSH Authentification very slow on HPUX 11.31

we're using ssh 5.20.006 on 11.31 and also encountered slow login's. editing sshd_conf (#kerberosauthenticaion yes) solves the problem.

i sniffed with nettl and it looks like that ssh make a false dns-request. after entering password and pressing 'enter' the client makes a dns-request and asks for _kerberos.int...after 5 seconds and no answer the client repeats his request...again 5 seconds of silence. then the dns-server answers with a failure. after that the client asks for _kerberos.admin.int and the dns-server answers succesfully without any interruption!

our domain is "admin.int"...not only "int"! it seems that the first 2 requests are simply false.







0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.