HPE Community
Operating System - HP-UX
1837159 Members
2758 Online
110112 Solutions
New Discussion

ssh/scp 20-30 second delay before attempting connection

 
James Perry
Advisor

‎02-20-2003 07:33 AM

‎02-20-2003 07:33 AM

ssh/scp 20-30 second delay before attempting connection

I am runng the SSH bundle (3.5p1). I have noted that there is a 20-30 second delay while the ssh client runs the rand-helper app since HP does not have a /dev/random device. I have added the prngd product and it is still not providing aid. Are there any suggestions as to a way to resolve this issue? Connections from the PC and Linux servers using ssh products are quick, but using any of the ssh products on HP has the delay. Suggestions?
0 Kudos
Reply
13 REPLIES 13
Kent Ostby
Honored Contributor

‎02-20-2003 11:24 AM

‎02-20-2003 11:24 AM

Re: ssh/scp 20-30 second delay before attempting connection

Can you run ssh with the -vvv option to get debug information ?

Also, what do you have in /opt/ssh/etc/ssh_prng_cmds ?
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
James Perry
Advisor

‎02-20-2003 11:50 AM

‎02-20-2003 11:50 AM

Re: ssh/scp 20-30 second delay before attempting connection

The hang time is in the debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper
d step. I have compiled a version on a test box and it only takes 2-3 seconds to connect. As for the /opt/ssh/etc/ssh_prng_cmds, I do not have the /opt/ssh directory structure. It was not installed as part of the openssh-3.5p1-sd-11.00.depot that was installed. Is there another depot that installs a random number generator like PRNGD as part of the package?
0 Kudos
Reply
Dale Barnes
Advisor

‎02-20-2003 01:28 PM

‎02-20-2003 01:28 PM

Re: ssh/scp 20-30 second delay before attempting connection

I am seeing the same delay at the debug3: Seeing PRNG from /opt/ssh/libexec/ssh-rand-helper step, both connecting to HP and Solaris boxes. I have a /opt/ssh/etc/ssh_prng_cmds file, it has a lot of lines like:
"ls -alni /var/spool/mail" /usr/bin/ls 0.02
in it. This is the ssh bundle for HPUX11.
"I try to avoid experience; most experience is bad." - Wilde
0 Kudos
Reply
James A. Donovan
Honored Contributor

‎02-20-2003 01:58 PM

‎02-20-2003 01:58 PM

Re: ssh/scp 20-30 second delay before attempting connection

If the host your sshd daemon is running is an 11i OS (11.11+), then you can try using the recently release /dev/random patch.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=KRNG11I

You'll need to recompile the ssh daemon on the server of course, but you should see a significant increase in performance.....

another helpful site is http://newfdawg.com/SSHpart5.htm
Remember, wherever you go, there you are...
0 Kudos
Reply
James Perry
Advisor

‎02-20-2003 02:04 PM

‎02-20-2003 02:04 PM

Re: ssh/scp 20-30 second delay before attempting connection

I am running on an HP-UX 11.0 machine. I have been able to successfully build the product on a test server and link it to the prngd randomizer, but this requires building and tracking all of the changed files. What I am seeking is an HP-UX bundle that has support for ssh and the KRNG product for 11.0. I suspect that will not be released until 3rd quarter at best.
0 Kudos
Reply
Rodney Hills
Honored Contributor

‎02-21-2003 07:26 AM

‎02-21-2003 07:26 AM

Re: ssh/scp 20-30 second delay before attempting connection

I too was suffering 20-30 second delays on my 11i system using ssh. I installed the KRNG patch and now the wait time is down to 5 seconds.

An improvement, but not an almost immediate connection like rlogin.

-- Rod Hills
There be dragons...
0 Kudos
Reply
James Perry
Advisor

‎02-21-2003 07:44 AM

‎02-21-2003 07:44 AM

Re: ssh/scp 20-30 second delay before attempting connection

Thanks Rodney! I have compiled the ssh and required libraries on a test machine and I am in the process of creating a depot now. This is currently the only option since I am running 11.0. Iwill take a look at the KRNG patch, but I think it is only for 11.i.
0 Kudos
Reply
Chris Vail
Honored Contributor

‎02-21-2003 08:30 AM

‎02-21-2003 08:30 AM

Re: ssh/scp 20-30 second delay before attempting connection

We use ssh on all our 11.0 & 11i systems. A 5-30 second delay in making the connection is normal. The patch mentioned by others does speed it up a bit. I've found that the delay is highly dependant on the processor speed of the two machines involved. This makes sense since there is a lot of math involved in the public/private key pairing operation.


Chris
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-21-2003 10:17 AM

‎02-21-2003 10:17 AM

Re: ssh/scp 20-30 second delay before attempting connection

Rodney, what was the Patch number?

If you have generated public keys, these are long, encrypted little data files that get fully exchanged before any ssh scp or sftp type transfer happens(see attachement)

The obvious benefit is not having to type passwords when doing secure shell operations between machines.

The obvious cost be it 5 seconds or 30 seconds is that it does take tiem to exchange those keys.

I have suspsected problems on the HP-UX side because my two linux boxes are much snappier with ssh/scp/sftp.

Good to hear there is a patch.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-21-2003 10:21 AM

‎02-21-2003 10:21 AM

Re: ssh/scp 20-30 second delay before attempting connection

I'm not so sure it should be normal.

My HP-UX boxes do take around 20 seconds to exchange keys, even though I went through the trouble of generating and exchaning public keys in advance(see doc).

My two Linux boxes at home on a switch of equivalent speed handle the ssh/scp/sftp instantaneously without delay, even across the internet with a third, customer Linux machine.

Can someone post the HP patch number involved here?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-21-2003 10:22 AM

‎02-21-2003 10:22 AM

Re: ssh/scp 20-30 second delay before attempting connection

quite embarassing. I make my first post, go back to check, find nothing, repost another version and find both.

What is going on with itrc?

Apologies.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Rodney Hills
Honored Contributor

‎02-21-2003 11:01 AM

‎02-21-2003 11:01 AM

Re: ssh/scp 20-30 second delay before attempting connection

Steven,

Check above for post by Donovan. Their is a link to the patch their...

-- Rod Hills
There be dragons...
0 Kudos
Reply
Jenni Tyynelä
New Member

‎03-17-2003 01:14 AM

‎03-17-2003 01:14 AM

Re: ssh/scp 20-30 second delay before attempting connection

I would like to use random number generator with SSH. Jim Donovan wrote that "You'll need to recompile the ssh daemon on the server of course, but you should see a significant increase in performance...".
But he attached a link where it is written that:
"For HP-SSH to utilize the new RNG no configuration changes need to be made to SSH."

Why recompilation is needed and if it is mandatory how it is done?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.