HPE Community
Operating System - HP-UX
1832645 Members
2999 Online
110043 Solutions
New Discussion

What is the Fastest Authentication Protocols for SSH

 
Shah Sahib
Frequent Advisor

‎12-13-2007 11:31 AM

‎12-13-2007 11:31 AM

What is the Fastest Authentication Protocols for SSH

Ok experts, sorry if I did not word my subject line correctly but we are having problems with SSH login hanging for long time. We want to see if we can use some other authentication protocol other than PAM or Kerberos.

Ok, I am not a security expert so dont flame me, just let me know what should we use for light security as most of the connections pass encrypted data from remote programmes and batch jobs etc, so we dont need to double encrypt, I am thinking this is the problem, sorry for not providing more info, but let me know what the consensus is.

TIA
1 Strike of the Ironsmith equals 1000 strikes of a Gold smith
0 Kudos
16 REPLIES 16
Ivan Krastev
Honored Contributor

‎12-13-2007 11:52 AM

‎12-13-2007 11:52 AM

Re: What is the Fastest Authentication Protocols for SSH

Check your DNS resolvin. This is a commong issue with slow logins via ssh.

Disable dns in sshd_config:

UseDNS no


regards,
ivan
0 Kudos
Patrick Wallek
Honored Contributor

‎12-13-2007 11:52 AM

‎12-13-2007 11:52 AM

Re: What is the Fastest Authentication Protocols for SSH

What version of HP-UX are you running? Are you running some sort of random number generator?

For HP-UX 11.11 (11i v1) and higher you can install the KRNG (Kernel random number generator) package and that helps authentication speed immensely.
0 Kudos
Dave Hutton
Honored Contributor

‎12-13-2007 12:09 PM

‎12-13-2007 12:09 PM

Re: What is the Fastest Authentication Protocols for SSH

Kind of a long what Patrick was saying. I know for 10.20 -> 11.00 the larger your /var/adm/wtmp and btmp files get the longer it takes for your connection to go. If you are running the older versions of OS you could try to zero out those files and try it.
0 Kudos
Shah Sahib
Frequent Advisor

‎12-13-2007 12:50 PM

‎12-13-2007 12:50 PM

Re: What is the Fastest Authentication Protocols for SSH

Guys we are running HPUX 11.23 on a ia64 box, with Secure_Shell A.04.10.005, i dont see a RNG installed...the DNS is fine.

Will look into btmp and wtmp cleanup.
thanks
1 Strike of the Ironsmith equals 1000 strikes of a Gold smith
0 Kudos
TwoProc
Honored Contributor

‎12-13-2007 01:18 PM

‎12-13-2007 01:18 PM

Re: What is the Fastest Authentication Protocols for SSH

Just for giggles add the ip address of whatever developer's machine is slow to login from into the /etc/hosts file. Retry the ssh login - if it's now fast, then it's dns speed issues.
I saw recently a suggestion to speed this up, and it was to make your machine a downstream end-level dns resolver, that way you'll have all that stuff cached up and close by on your own server, and you won't have to wait for a resolution... or you can just add developer's IP addresses to your /etc/hosts file - doesn't hurt anything...
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
IT_2007
Honored Contributor

‎12-13-2007 01:24 PM

‎12-13-2007 01:24 PM

Re: What is the Fastest Authentication Protocols for SSH

post your /etc/nsswitch.conf file

also post sshd_conf file.

so that we can verify.
0 Kudos
skt_skt
Honored Contributor

‎12-13-2007 07:30 PM

‎12-13-2007 07:30 PM

Re: What is the Fastest Authentication Protocols for SSH

is the login working fast through telnet?

Then update sshd_config as below,


UsePrivilegeSeparation no
#Compression yes

0 Kudos
Shah Sahib
Frequent Advisor

‎12-14-2007 05:09 AM

‎12-14-2007 05:09 AM

Re: What is the Fastest Authentication Protocols for SSH

I will respond to other questions, but here is the nsswitch.conf file
1 Strike of the Ironsmith equals 1000 strikes of a Gold smith
0 Kudos
Shah Sahib
Frequent Advisor

‎12-14-2007 06:06 AM

‎12-14-2007 06:06 AM

Re: What is the Fastest Authentication Protocols for SSH

I shared all the responses from this forum with our team here and they were all very good, my immediate question is (Patrick?) how do i find out what version RNG we are using? Is it integrated into some product? any detail on that is helpful, and twoproc we cant use the hosts file as we have dns and ldap setup but yes that would be good for testing and we will if all else fails, Dave yes I will clean up the wtmp and btmp soon as someone in the meeting agrees with you on that, Santosh thanks I verified it was already set to what you recommend.
1 Strike of the Ironsmith equals 1000 strikes of a Gold smith
0 Kudos
Shah Sahib
Frequent Advisor

‎12-14-2007 10:36 AM

‎12-14-2007 10:36 AM

Re: What is the Fastest Authentication Protocols for SSH

I did a ssh -vvv verbose login on the server and noticed the line

:RNG is ready, skipping seeding
:sh_connect: needpriv 0

does this mean anything?
1 Strike of the Ironsmith equals 1000 strikes of a Gold smith
0 Kudos
skt_skt
Honored Contributor

‎12-14-2007 11:46 AM

‎12-14-2007 11:46 AM

Re: What is the Fastest Authentication Protocols for SSH

the delay is expeted if the wtmp is too big; Compare the size with other machine (is it really bigger).

Here is the procedure to do that..(tested)

1. Ensure that the wtmp file is not corrupt by running a last on your user id:

# last ` who am i `

2. Convert the wtmp file to ascii into a file system that has sufficient space:

# cat /var/adm/wtmp | /usr/sbin/acct/fwtmp > /tmp/ascii_wtmp

3. Determine the number of lines in the ascii file, take 10% of that value, and subtract that from total number of lines:

# lines=`cat /tmp/ascii_wtmp | wc -l`;lines2=`expr $lines / 10`; export lines3=`expr $lines - $lines2`;echo $lines3

4. Start the ascii file from the line number given as output from the above command:

# awk ' ( NR > '$lines3' ) ' /tmp/ascii_wtmp > /tmp/ascii_wtmp2

5. Convert the trimmed ascii file back to binary in place of the original wtmp:

# cat /tmp/ascii_wtmp2 | /usr/sbin/acct/fwtmp -ic > /var/adm/wtmp

6. Verify that the operation was successful

# ll /var/adm/wtmp

# last ` who am i `

0 Kudos
Shah Sahib
Frequent Advisor

‎12-14-2007 12:05 PM

‎12-14-2007 12:05 PM

Re: What is the Fastest Authentication Protocols for SSH

I just blew away the wtmp file, we dont need wtmp or btmp as it is a security risk anyways. I will monitor if the login improved.

But i notice we also have a file "wtmps" in the same dir as wtmp and it is large over 78mb..what is that?

Secondly, since we are on 11.23 so we should have a Random Number Generator built in, but my question is how do i know its running or being used? thanks
1 Strike of the Ironsmith equals 1000 strikes of a Gold smith
0 Kudos
Dave Hutton
Honored Contributor

‎12-17-2007 07:02 AM

‎12-17-2007 07:02 AM

Re: What is the Fastest Authentication Protocols for SSH

I know you posted ssh -vvv and connected. You could also try running the sshd deamon in debug. sshd -ddd I've only messed with it a little when I was having issues, it seems like its only good for 1 session. (I couldn't figure out to allow it to have more then 1, but didn't spend much time on it)

So at least you could watch the origination and destinations and see where it gets hung up.

I've never had any issues with speed on 11.11 or newer. I only mention the wtmp/btmp because we do have some old 11.00 servers that when those files grow it tends to slow things down. I'm assuming it uses those files to randomly seed your connections. But if it helps great. I would just be surprised if it did.
0 Kudos
skt_skt
Honored Contributor

‎12-17-2007 12:50 PM

‎12-17-2007 12:50 PM

Re: What is the Fastest Authentication Protocols for SSH


Secondly, since we are on 11.23 so we should have a Random Number Generator built in, but my question is how do i know its running or being used?

watch the screen (RNG is ready, skipping seeding)

#tusc -Eeaf -p -v -rall -wall -vall -T '' -o /tmp/ssh_tusc.txt ssh -vvv root@localhost
0 Kudos
Shah Sahib
Frequent Advisor

‎12-18-2007 12:23 PM

‎12-18-2007 12:23 PM

Re: What is the Fastest Authentication Protocols for SSH

Thanks Santhosh, tusc seems to be a good tool, we dont have it yet but will look into it.
1 Strike of the Ironsmith equals 1000 strikes of a Gold smith
0 Kudos
Shah Sahib
Frequent Advisor

‎01-02-2008 07:46 AM

‎01-02-2008 07:46 AM

Re: What is the Fastest Authentication Protocols for SSH

thanks to all.
1 Strike of the Ironsmith equals 1000 strikes of a Gold smith
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.