Re: telnet login fast, but ssh login slow ?

Jerry_109 · ‎03-18-2005

HP-UX B.11.11 U 9000/800/rp3410

Hello All,
I have a perplexing situation on my hp server. When I "telnet" to my server, I get a very quick login prompt, but when I "ssh" it takes approx. 70 seconds. This just started a few days ago, and no one is admitting to any changes. I originally thought it was an negoiation between ports.

The (2) lan cards are configured for different subnets between "prod/dev" and "test lab" as follows:
lan0 for prod/dev servers 10.2
lan1 for test lab servers 10.254

Please review the following information I have gathered :

***********************************************
Class I H/W Path Driver S/W State H/W Type Description
===================================================================
lan 0 0/1/2/0 igelan CLAIMED INTERFACE HP PCI 1000Base-T Core
lan 1 0/4/1/0 btlan CLAIMED INTERFACE HP A5230A/B5509BA PCI 10/100Base-TX Addon
********************************************
# lanscan
Hardware Station Crd Hdw Net-Interface NM MAC HP-DLPI DLPI
Path Address In# State NamePPA ID Type Support Mjr#
0/1/2/0 0x00306E4B2183 0 UP lan0 snap0 1 ETHER Yes 119
0/4/1/0 0x00306EEA664A 1 UP lan1 snap1 2 ETHER Yes 119
***************************************
# ifconfig lan0
lan0: flags=1843
inet 10.2.110.200 netmask ffff0000 broadcast 10.2.255.255
root@airlock[/tmp]
# ifconfig lan1
lan1: flags=843
inet 10.254.110.2 netmask ffff0000 broadcast 10.254.255.255
*****************************************

# lanadmin -x 0
Speed = 100 Full-Duplex.
Autonegotiation = Off.

root@airlock[/tmp]
# lanadmin -x 1
Current Config = 100 Full-Duplex MANUAL
***********************************

# The HP_IGELAN_INIT_ARGS are reserved by HP. They are NOT user changable.

HP_IGELAN_INIT_ARGS="HP_IGELAN_STATION_ADDRESS HP_IGELAN_SPEED HP_IGELAN_MTU HP_IGELAN_FLOW_CONTROL HP_IGELAN_AUT
ONEG HP_IGELAN_SEND_COAL_TICKS HP_IGELAN_RECV_COAL_TICKS HP_IGELAN_SEND_MAX_BUFS HP_IGELAN_RECV_MAX_BUFS"

HP_IGELAN_INTERFACE_NAME[0]=lan0
HP_IGELAN_STATION_ADDRESS[0]=
HP_IGELAN_SPEED[0]=100FD
HP_IGELAN_MTU[0]=
HP_IGELAN_FLOW_CONTROL[0]=
HP_IGELAN_AUTONEG[0]=
HP_IGELAN_SEND_COAL_TICKS[0]=
HP_IGELAN_RECV_COAL_TICKS[0]=
HP_IGELAN_SEND_MAX_BUFS[0]=
HP_IGELAN_RECV_MAX_BUFS[0]=

# End of hpigelanconf configuration file

------------------------------------------

HP_BTLAN_INTERFACE_NAME[0]=lan1
HP_BTLAN_STATION_ADDRESS[0]=
HP_BTLAN_SPEED[0]=100FD
HP_BTLAN_INIT_ARGS="HP_BTLAN_STATION_ADDRESS HP_BTLAN_SPEED"

# End of hpbtlanconf configuration file
*********************************************

I checked with the network folks to deliver the port configuration(s), and they indicated
the ports were set to "100 full duplex".

I also executed some scp's (secure copies) just
so I could view the transmission times as follows :

# scp /tmp/J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot hohp41:/tmp/jerry
J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot 0% 200KB 69.7KB/s 23:18 ETAKilled by signal 2.
root@airlock[/]
# scp /tmp/J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot hohp40:/tmp/jerry
J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot 0% 200KB 69.7KB/s 23:18 ETAKilled by signal 2.
root@airlock[/]
# scp /tmp/J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot hohp230:/tmp/jerry
J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot 0% 416KB 62.7KB/s 25:50 ETAKilled by signal 2.
root@airlock[/]
# scp /tmp/J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot hohp231:/tmp/jerry
J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot 0% 416KB 47.6KB/s 34:04 ETAKilled by signal 2.
root@airlock[/]
# scp /tmp/J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot hohp232:/tmp/jerry
J4258CA_B.06.21.10_HP-UX_B.11.11_32+64.depot 0% 344KB 61.4KB/s 26:25 ETA
*******************************************
Jerry Sims
jlsims@scif.com

harry d brown jr · ‎03-18-2005

Aren't gig-e cards susposed to be set to autonegotiate HP_IGELAN_AUTONEG[0]=1?

And if this "just started to happen", then SOMETHING changed.

live free or die
harry d brown jr

Live Free or Die

RAC_1 · ‎03-18-2005

which ssh version do you use?? old versions use commands for random generation and this could cause ssh connection delay.

Anil

There is no substitute to HARDWORK

Jerry_109 · ‎03-18-2005

# ssh -v
OpenSSH_3.8, OpenSSL 0.9.7d 17 Mar 2004
HP-UX_Secure_Shell-A.03.81.002, HP_UX Secure Shell version

RAC_1 · ‎03-18-2005

You have two options.

check sshd_config file. check what commands are used to generate random number. (They are kept somewhere in /opt/ssh or something similar. Delete few of them)

OR

update to latest ssh version. Install KRNG (random generator. This installs /dev/random and /dev/urandom) and you should be fine.

There is no substitute to HARDWORK

Jerry_109 · ‎03-18-2005

the server that has the slow response does not have ssh installed. The ssh server sends commands to about 60 servers, but it's just of the 60 that is slow. does a new "ssh key"
need to be generated? If so, do you know the command ?

Wilfred Chau_1 · ‎03-18-2005

In your sshd_config file, do you have this set to yes?

#VerifyReverseMapping Yes

Set it to no and retry

Jerry_109 · ‎03-18-2005

was unable to locate "VerifyReverseMapping"
in /opt/ssh/etc/ssh_config

Wilfred Chau_1 · ‎03-18-2005

Should be the daemon config.
/opt/ssh/etc/sshd_config

Jerry_109 · ‎03-19-2005

This parameter is set to : VerifyReverseMapping Yes

Stefano_65 · ‎06-07-2005

hey.. I've the same problem, and the same version of OpenSSL, but in /opt/ssh/etc/ssh_config I've not the option Verify..etc.
here my ssh_config:

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~

maybe I've to change some other parm?

tnx.

Stefano_65 · ‎06-07-2005

and here the sshd_config:

#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/ssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/ssh/etc/ssh_host_rsa_key
#HostKey /opt/ssh/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /opt/ssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /opt/ssh/libexec/sftp-server

# sftp-server logging
#LogSftp no
#SftpLogFacility AUTH
#SftpLogLevel INFO

# sftp-server umask control
#SftpUmask

#SftpPermitChmod yes
#SftpPermitChown yes

Stefano_65 · ‎06-07-2005

sorry everybody.. I solve the situation by editing ssh_prng_cmds file.
in detail, I've changed "last" with "last -100".

Hi everybody..

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: telnet login fast, but ssh login slow ?

telnet login fast, but ssh login slow ?