System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH Authentification very slow on HPUX 11.31

PatRoy
Regular Advisor

SSH Authentification very slow on HPUX 11.31

Hi.

I've been having theses issues with 2 specific HPUX 11.31 boxes. When ever I login to theses using SSH/SFTP it is extremely slow to connect to.

Now, I've noticed that if I use Keyboard-Interactive Authentication with my SSH clients, it's fine! But any other choice will be very slow! Now, we use a lot UltraEdit with SFTP on theses boxes. Unfortunately, they don't have the option to use Keyboard-Interactive by default in this client.

How can I change this server side? What's funny is that I've got one other 11.31 box which is just fine. I've compared their Secure_Shell version (A.05.10.008), their sshd_config and the pam.conf. All the same.

Can anyone help?

Thanks so much!

Pat.
24 REPLIES
Steven E. Protter
Exalted Contributor

Re: SSH Authentification very slow on HPUX 11.31

Shalom,

Few possibilities.

I've seen quite a few complaints about this version of Secure Shell. A prior or upcoming version might work a little better.

This seems to me like a problem with the binaries.

also possible:
Slow DNS resolution

Network speed (use lanadmin to make sure you are getting full duplex).

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
OldSchool
Honored Contributor

Re: SSH Authentification very slow on HPUX 11.31

i'd bet on name resolution issues first
Anka
Trusted Contributor

Re: SSH Authentification very slow on HPUX 11.31

compare the /etc/resolv.conf with a system without the problem
you can also check the /etc/nsswitch.conf file... hosts and also ipnodes should have files...dns.. entry
if the dns is on the first place try first files then dns and add in the /etc/hosts the ip fqdn alias for the client system to see whether the situation is the same

hope it helps
Tingli
Esteemed Contributor

Re: SSH Authentification very slow on HPUX 11.31

This can be the primary DNS server is down while the secondary server is up. And ssh takes a long time to go to the second one for ip address.
Olivier Masse
Honored Contributor

Re: SSH Authentification very slow on HPUX 11.31

Purge /var/adm/wtmp and /var/adm/wtmps.
Court Campbell
Honored Contributor

Re: SSH Authentification very slow on HPUX 11.31

I would suspect dns. you could disable dns lookups in sshd_config and see if that speeds things up. You might also want to check your network speed. I only say that because I was plugged into a port once that was set to 100Mb.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Steven Schweda
Honored Contributor

Re: SSH Authentification very slow on HPUX 11.31

Have you tried connecting using "ssh -v", to
try to see where in the procedure the delay
occurs?

Any difference if the client is the same as
the server?
PatRoy
Regular Advisor

Re: SSH Authentification very slow on HPUX 11.31

Thanks all for your replies. However, we had also thought of a DNS problem at first. It can't be that. It's working just fine with other SSH Clients.

I'm even able to reproduce / fix the problem with PuTTY. Within putty, if I go to the Connection / SSH / Auth menu, there's an option to use "Attempt Keyboard-Interactive auth". It's on by default. If I login with that, it's fast. However, turning that OFF will make it slow.

I would need to same option with my other SSH Client (UltraEdit in this case), but it's not there. Now, I want to know how to fix that server side instead... if possible.

I'm attaching a screenshot of my putty.

Cheers. Pat
OldSchool
Honored Contributor

Re: SSH Authentification very slow on HPUX 11.31

If I found the correct UltraEdit, it looks like you can configure that setting at the client side. see:

http://www.ultraedit.com/support/tutorials_power_tips/ultraedit/ssh_telnet.html

See section 3d regarding authentication methods....
PatRoy
Regular Advisor

Re: SSH Authentification very slow on HPUX 11.31

OldSchool, also thought that would of been it. But it was already on "Password Only" authentication. Doesn't work. It's not the same thing has Keyboard-Interactive...

I've just tried out another SSH Client for Windows called SftpDrive. Here's a screenshot clearly showing the 2 options...

Thanks again.
PatRoy
Regular Advisor

Re: SSH Authentification very slow on HPUX 11.31

Turns out I had to set the following in sshd_config:

KerberosAuthentication no

That way, it's fast. I still don't get it. We're not using Kerberos in any way. The following configs are the same (from good to bad server):

- pam.conf
- pam.krb5
- sshd_config
- nsswitch.conf
and I probably checked some others... but don't recall... checked so many things...

Any clues why? Missing patch perhaps? Kernel config??

Thanks again. Pat
Tingli
Esteemed Contributor

Re: SSH Authentification very slow on HPUX 11.31

Check /var/adm/syslog/syslog.log, there might be some clue about it.
PatRoy
Regular Advisor

Re: SSH Authentification very slow on HPUX 11.31

The logs, unfortunately, don't seem to be telling me anything useful. All I could get from syslog.log is something like:

Feb 25 09:14:01 blux5 sshd[4061]: SSH: Server;Ltype: Version;Remote: 192.168.87.132-3870;Protocol: 2.0;Client: PuTTY_Release_0.60

Feb 25 09:16:01 blux5 sshd[4061]: Accepted password for root from 192.168.87.132 port 3870 ssh2

However, just noticed... the delay to get in seems to be *always* exactly 2 minutes. It's some kind of timeout... but where? I don't know.. :(
Mike Culbertson
Occasional Visitor

Re: SSH Authentification very slow on HPUX 11.31

I can confirm to some extent that the 5.1 binary is borked. It is not any of the usual suspects in our case; name resolution is fine, NFS is fine, and there are ~200 other (non-hpux) machines using the same services with no issue.

In our case, with KerberosAthentication enabled or disabled (kerberos works fine, actually), a login or command execution takes 100-120 seconds. Inexplicably, root login is fast though login for other local users is still slow. Truss-ing the sshd process yields nothing that would obviously account for this.

I downgraded to 5.0 and suddenly all is fixed. Login is fast, krb5/GSSAPI login works fine, no obvious issues anywhere.

HP should probably take down that build, it clearly has some problems...
PatRoy
Regular Advisor

Re: SSH Authentification very slow on HPUX 11.31

I'd like to try a downgrade... Where can I get the 5.0 version? I tried:

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

But can't see it there... Can you tell me where? Thanks so much.

Pat.
Mike Culbertson
Occasional Visitor

Re: SSH Authentification very slow on HPUX 11.31

That's a great question... I don't know. I happened to have the packages from our previous upgrade still laying around, but I was not able to find them online.

There is a non-kerberized package available here: http://hpux.cs.utah.edu/ and openssh does build pretty easily with kerberos enabled (krb5 complicates things quite a bit).

If anyone knows if/where previous versions are available, it would really be helpful; I had to downgrade my 11.11 boxes all the way to 4.1 because it was the only other package I had available.
Billa-User
Regular Advisor

Re: SSH Authentification very slow on HPUX 11.31

hello,
this thread was very helpful for us.
i rolled out SecureShell A.05.10.X on our HPUX 11.23 / 11.31 servers (after testing a few weeks on some test and production server). On one HPUX 11.31 server we use SecureShell extremely intensive, after the installation it wasn't possible to login with SSH in a acceptable time. one SSH process use about 60 % of a CPU ! the solution to solve the problem:

Purge /var/adm/wtmp and /var/adm/wtmps.
/var/adm/wtmps had about 500 MB ! (yes we will reorganize it in the future)

also in the installation description for A.05.10.X is no prerequisite. but there is a prerequisite : OpenSSL A.00.09.8j !!! SSH doesn't work on HPUX 11.31 with a older version => Fatal Error.

Be careful with SecureShell A.05.10.X
PatRoy
Regular Advisor

Re: SSH Authentification very slow on HPUX 11.31

Thanks Billa.

If I recall right, it turns out I had to set 'KerberosAuthentication = no' in sshd_config of my problematic server to resolve this. I know, it's more of a patch then a real fix, but at the time, since we aren't using Kerberos, figured it did the trick...

Cheers!
P.
Sven Bergmann
Frequent Advisor

Re: SSH Authentification very slow on HPUX 11.31

we're using ssh 5.20.006 on 11.31 and also encountered slow login's. editing sshd_conf (#kerberosauthenticaion yes) solves the problem.

i sniffed with nettl and it looks like that ssh make a false dns-request. after entering password and pressing 'enter' the client makes a dns-request and asks for _kerberos.int...after 5 seconds and no answer the client repeats his request...again 5 seconds of silence. then the dns-server answers with a failure. after that the client asks for _kerberos.admin.int and the dns-server answers succesfully without any interruption!

our domain is "admin.int"...not only "int"! it seems that the first 2 requests are simply false.







jrobstewart
Occasional Visitor

Re: SSH Authentification very slow on HPUX 11.31

We just upgraded ssh on our 11.23 machine to:

# ssh -version
OpenSSH_5.2p1+sftpfilecontrol-v1.3-hpn13v5, OpenSSL 0.9.8k 25 Mar 2009
HP-UX Secure Shell-A.05.20.014, HP-UX Secure Shell version

Same problem - slow interactive but fast with embedded commands. Our slow interactive problem was fixed when we crushed wtmp and wtmpx. Thanks, Olivier.

John
Mary A Mentillo
Occasional Visitor

Re: SSH Authentification very slow on HPUX 11.31

Talked with hp support known issue starting with version 4.7. Emptied file and it worked. Decided to stay with 4.5 until new version is fixed

HP-UX Secure Shell Software - Logins Slower after Update to Version A.04.70.010
ISSUE:
User was running HP-UX Secure Shell-A.04.30.007 and all was working OK. He updated to a more current version (A.04.70.10) and now his logins take 10-15 seconds to complete. The delay appears after entering the password.

SOLUTION:
The newer version of the ssh daemon (/usr/bin/sshd) will read the entire file /var/adm/wtmps if it exists. Since this file grows without bound, it can become exceeding large and cause delays in the login process.

The man page for wtmps states:

Note that wtmps and btmps tend to grow without bound, and should be checked regularly. Information that is no longer useful should be removed periodically to prevent the file from becoming too large. Also note that wtmps and btmps are not created by the programs that maintain them. Thus, if these files are removed, login record-keeping is turned off.

If the size of the file is very large, it may be truncated with:

# cat /dev/null > /var/adm/wtmps

This should improve the login times. You do not need to restart the daemon.



sombriks
Advisor

Re: SSH Authentification very slow on HPUX 11.31

thanks a lot, it was my issue too.
Fontainhas Dias
Occasional Visitor

Re: SSH Authentification very slow on HPUX 11.31

I've been feeling this symptoms for a while and the "reset" wtmps hints where very useful

# cat /dev/null > /var/adm/wtmps
as we don't use telnet (disabled)

Thank you all
EdsonS
Established Member

Re: SSH Authentification very slow on HPUX 11.31

Thanks a lot! It solve my problem too.