HPE Community
Operating System - HP-UX
1826605 Members
3204 Online
109695 Solutions
New Discussion

Re: Slow ssh key exchange.

 
Steven E. Protter
Exalted Contributor

‎03-06-2003 02:53 PM

‎03-06-2003 02:53 PM

Slow ssh key exchange.

I saw a itrc forum post about this but for the life of me, I can't find it. Looked for half an hour.

With my Linux boxes at home ssh connects in about a second.

Between my HP-UX boxes, there is a delay of between 30-60 seconds.

Someone posted a fix to install that brings this down to 5 secons.

I need the patch for 11.00 and 11.11 because I have a mixed environment.

If you beat the support center extra kudos for you.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
16 REPLIES 16
James R. Ferguson
Acclaimed Contributor

‎03-06-2003 03:08 PM

‎03-06-2003 03:08 PM

Re: Slow ssh key exchange.

Hi Steven:

This could be a DNS reverse name lookup problem or a badly configured '/etc/nsswitch.conf' file. Make sure it contains "hosts:files [NOTFOUND=continue] dns" for DNS lookups.

Regards!

...JRF...
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎03-06-2003 03:08 PM

‎03-06-2003 03:08 PM

Re: Slow ssh key exchange.

Hi Steven,

I seem to remember that the delay is due to HP-UX's lack of the /dev/random device.
Anyway, here's a couple thread dealing with the issue:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x6edae822e739d711abdc0090277a778c,00.html

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x2bde35067c18d6118ff40090279cd0f9,00.html

I can't seem to find the specific thread I remember, but I'll keep looking.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-06-2003 03:10 PM

‎03-06-2003 03:10 PM

Re: Slow ssh key exchange.

Hi SEP,

It is dependent on how much strong your random number generation you want. This is done by prng commands.

If you are using openssh, you will find these commands in /opt/openssh2/etc/ssh_prng_cmds.

You can probably delete some of the commands like netstat that will take long time to produce the output. You can make it much longer if you add commands like ioscan :-).

Just remember, the less you have in there, weaker will be the Random number generation.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-06-2003 03:22 PM

‎03-06-2003 03:22 PM

Re: Slow ssh key exchange.

No dns issues. DNS resolution is instantaneous and reliable, in spite of the fact Microsoft is the server for 3 of my five boxes.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-06-2003 03:23 PM

‎03-06-2003 03:23 PM

Re: Slow ssh key exchange.

Darn. I know I saw a post with a patch for this. Should have bookmarked it.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎03-06-2003 03:27 PM

‎03-06-2003 03:27 PM

Re: Slow ssh key exchange.

...but Steve, the Forum's search works so well and so reliably :-))

...JRF...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-06-2003 03:28 PM

‎03-06-2003 03:28 PM

Re: Slow ssh key exchange.

My crown is getting bent, as I bang it against this brick wall. Trying another itrc search
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-06-2003 03:33 PM

‎03-06-2003 03:33 PM

Re: Slow ssh key exchange.

Steven,

I know for 11.11, you can install KRNG. It will create a /dev/random interface and may speed up the key generation.

Look at this link.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=KRNG11I

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎03-06-2003 03:35 PM

‎03-06-2003 03:35 PM

Re: Slow ssh key exchange.

Sridhar's on target.

Take a look at that file, mine has approx 60 seperate commands with a mix of ls, tail, netstat, ifconfig, etc.
These determine the *random* # generated.
It's the *time* that it takes to run them that's delaying the connection.

What HP *NEEDS* is a /dev/random device to generate random #s quickly.

If it's a patch, it going to have to be a patch that gives us /dev/random. 'Til then we're stuck generating randoms in this fashion.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-06-2003 03:40 PM

‎03-06-2003 03:40 PM

Re: Slow ssh key exchange.

Stupid question: If I have already generated public keys acccording to Chris Vale's attached doc, how does random key generation come into it?

Because the public key is the seed for generating the keys that go across the network right?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-06-2003 03:45 PM

‎03-06-2003 03:45 PM

Re: Slow ssh key exchange.

Hi Steven,


iam@myserver:>ssh -vvv somewhereelse
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f
debug1: Reading configuration data /opt/openssh2/etc/ssh_config
debug3: Seeding PRNG from /opt/openssh2/libexec/ssh-rand-helper

(waits here until it finishes generating the random number)

^ that is your answer.


You have another headache to deal with if you are using openssh. It cannot manage the expired passwords. I tried to apply pam patches unsuccessfully. Am waiting to compile 3.5 with other patches to see if it can help us.

I would suggest you to go with secure shell of HP that is much better than openssh. I guess it is supported by HP.


Just giving you heads up.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎03-06-2003 03:48 PM

‎03-06-2003 03:48 PM

Re: Slow ssh key exchange.

The random number is a "challenge" & is encrypted using the user's public key & can only be properly decrypted with the private key. This encrypted random number gets sent back to the user.
And if the user successfully decrypts it proves the user does in fact truly know the private key w/o disclosing it.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Chris Wong
Trusted Contributor

‎03-06-2003 05:15 PM

‎03-06-2003 05:15 PM

Re: Slow ssh key exchange.

Here's my article talking about /dev/random (only availabe for 11i):

http://newfdawg.com/SSHpart5.htm

- Chris
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-06-2003 05:58 PM

‎03-06-2003 05:58 PM

Re: Slow ssh key exchange.

In response to the question, we are using HP's distrubution of Secure Shell(the one I post the link to like 10 times a day).

We are not using openssh, per say.

I will try your ideas and get additional diagnostics. Perhaps this is why my Linux comparison is bad. That is openssh, packaged by red hat as an rpm.

Still the vvv mode sounds interesting. Nobody heard of a patch in regards to this?

Note: My son got the flu, I'll get back and handle points a little later.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎03-06-2003 09:01 PM

‎03-06-2003 09:01 PM

Re: Slow ssh key exchange.

I argued that we should use the HP product, and honestly I did so purely for the support issue.
But I lost the argument because we were more concerned about time to
release.
But as my esteemed colleague has pointed out, we've now discovered reasons to regret that decision.

This is an issue that should be discussed MUCH more in our profession.
What's more important - timeliness, support or stability? And the real twist comes when you throw security into the equation.

But I lose no sleep over these issues, because I *never* forget that without these Mobius strips, we'd be without a job.

My $0.02,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-07-2003 05:37 AM

‎03-07-2003 05:37 AM

Re: Slow ssh key exchange.

Response to your question:
What's more important - timeliness, support or stability?

They are all important.

I think HP strives to provide balance and usually does. I can tolerate the ssh key exchange delay so long as HP commits to doing something about it.

SEP

Still nobody knows about a patch, I thought I saw a post.

:-(

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.