HPE Community
Operating System - HP-UX
1834659 Members
2207 Online
110069 Solutions
New Discussion

ssh daemon responds after a long time

 
Deniz Cendere
Frequent Advisor

‎02-16-2006 12:11 AM

‎02-16-2006 12:11 AM

ssh daemon responds after a long time

Hi all,

I have a server running hpux 11.11 and MC/SG 11.16 . It is a clustered server.

I installed hp-ux secure shell A.04.20 on it.
But the ssh daemon takes much longer to respond to a login request. I have a the same version test server. But it doesn't have this kind of a problem.

Do you have any idea?

Thanks
Deniz
0 Kudos
Reply
10 REPLIES 10
Kasper Hedensted
Trusted Contributor

‎02-16-2006 12:15 AM

‎02-16-2006 12:15 AM

Re: ssh daemon responds after a long time

Hi Deniz,

Is DNS set up properly on this machine ?
It could be that the server cannot make a reverse lookup of the incoming IP-address.

Cheers,
Kasper
0 Kudos
Reply
Deniz Cendere
Frequent Advisor

‎02-16-2006 12:30 AM

‎02-16-2006 12:30 AM

Re: ssh daemon responds after a long time


Hi,

It doesn't have a dns set up.
There is no /etc/resolv.conf file and in /etc/nsswitch.conf file, for hosts the entry below.
<<
more /etc/nsswitch.conf
hosts: files
>>

Thanks

Deniz
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎02-16-2006 12:33 AM

‎02-16-2006 12:33 AM

Re: ssh daemon responds after a long time

Hi Deniz,

Do you have /etc/hosts file ? This is a name resolution issue.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎02-16-2006 12:38 AM

‎02-16-2006 12:38 AM

Re: ssh daemon responds after a long time

You can start the sshd daemont with -u0 to disable DNS requests.

Edit /etc/rc.config.d/sshd and configure:

SSHD_ARGS="-u0"


Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Deniz Cendere
Frequent Advisor

‎02-16-2006 12:39 AM

‎02-16-2006 12:39 AM

Re: ssh daemon responds after a long time

yes,

I have a /etc/hosts file.
0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-16-2006 12:40 AM

‎02-16-2006 12:40 AM

Re: ssh daemon responds after a long time

Deniz,
add your machines into the /etc/hosts file and retry.

Other things (remote chance, earlier versions) were:
Frequency of keygen and length of key:
KeyRegenerationInterval
ServerKeyBits
ssh_prng_cmds
0 Kudos
Reply
Deniz Cendere
Frequent Advisor

‎02-16-2006 01:33 AM

‎02-16-2006 01:33 AM

Re: ssh daemon responds after a long time

I have already have server name and ips in /etc/hosts file.

What must be the values of these variables? I think they have default values in my system because they are commented.

#KeyRegenerationInterval 1h
#ServerKeyBits 768

They are also commented in my other server but it doesn't have such a problem.

Thanks

Deniz
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎02-16-2006 01:50 AM

‎02-16-2006 01:50 AM

Re: ssh daemon responds after a long time

Hi Deniz,

This is most likely due to the "pseudo" random number generator algorithms used.
That system is probably more heavily loaded than the other & it takes longer to run all the commands in the entropy gathering file ssh_prng_cmds file
IF you're running 11iv1 then you should install the KRNG11i package to install a true RNG device.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-16-2006 09:26 PM

‎02-16-2006 09:26 PM

Re: ssh daemon responds after a long time

Deniz,
can you please try something:
cd /etc/opt/ssh
cp ssh_prng_cmds ssh_prng_cmds.bck
vi ssh_prng_cmds

remove the netstat -ia and/or df commands

These may be the commands slowing the ssh down.
0 Kudos
Reply
Vipulinux
Respected Contributor

‎02-16-2006 09:50 PM

‎02-16-2006 09:50 PM

Re: ssh daemon responds after a long time

Hi Deniz

Check this out:
ssh(1) takes a long time to connect or log in
Large delays (more that 10 seconds) are typically caused a problem with name resolution:

Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1) can take a long time to resolve "IPv6 or IPv4" addresses from domain names. This can be worked around with by specifying AddressFamily inet option in ssh_config.
There may be a DNS lookup problem, either at the client or server. You can use the nslookup command to check this on both client and server by looking up the other end's name and IP address. In addition, on the server look up the name returned by the client's IP-name lookup. You can disable most of the server-side lookups by setting UseDNS no in sshd_config.
Delays less than 10 seconds can have other causes.

OpenSSH releases prior to 3.8 had an moduli file with moduli that were just smaller than what sshd would look for, and as a result, sshd would end up using moduli significantly larger than requested, which resulted in a speed penalty. Replacing the moduli file will resolve this (note that in most cases this file will not be replaced during an upgrade and must be replaced manually).
OpenSSH releases prior to 3.8 had a flaw in ssh that would cause it to request moduli larger than intended (which when combined with the above resulted in significant slowdowns). Upgrading the client to 3.8 or higher will resolve this issue.
If either the client or server lack a kernel-based random number device (eg Solaris < 9, AIX < 5.2, HP-UX < 11.11) and no substitute is available (eg prngd) it's possible that one of the programs called by ssh-rand-helper to generate entropy is hanging. This can be investigated by running it in debug mode:
/usr/local/libexec/ssh-rand-helper -vvv

Any significant delays should be investigated and rectified, or the corresponding commands should be removed from ssh_prng_cmds.

Cheers
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.