FC1 and SSH - logins taking a long time

Rick Stevens rstevens at vitalstream.com
Wed Jun 23 17:26:52 UTC 2004 

jeffrey_n_Dyke at Keane.com wrote:
> Hi.  This is not exactly a FC question/problem, but i'm getting nothing
> from the ssh mailing lists or comp.security.ssh.
> 
> i have an issue where ssh logins are taking over 10 seconds.  Assuming
> this is the DNS error seen here->http://www.openssh.com/faq.html#3.3.
> I tried to add both UseDNS no and AddressFamily inet.  Both gave me errors
> stating they were invalid options -->
> 
> /etc/ssh/sshd_config: line 33: Bad configuration option: UseDNS
> /etc/ssh/sshd_config: line 35: Bad configuration option: AddressFamily
> 
> I'm running OpenSSH_3.6.1p2.  on FC1, the following rpms are on my system
> 
> [root at jerry etc] rpm -qa | grep -i ssh
> openssh-3.6.1p2-19
> openssh-server-3.6.1p2-19
> openssh-askpass-3.6.1p2-19
> openssh-askpass-gnome-3.6.1p2-19
> openssh-clients-3.6.1p2-19
> 
> 
> The same slowness occurs when i the internal IP of 192.168.0.4. in
> lieu of domain name.
> 
> any help is appreciated

The configuration below is pretty standard.  My guess is that you really
do have a DNS issue.  The most likely problem is that reverse DNS is not
working (that's IP-to-hostname rather than normal DNS which is
hostname-to-IP).  You could verify this by getting on the SSN target
machine (192.168.0.4) and running:

	tcpdump port 53

and watching the output to see if the DNS stuff is being resolved right
or timing out when you try to ssh to that machine.

Since you're on a non-routable IP address (192.168/16), a reverse DNS
lookup will most likely fail unless you either run an internal DNS
server on your local LAN with a full reverse DNS database or you add the
appropriate entries to the SSH target's /etc/hosts file.

> my /etc/ssh/sshd_config file that errors out as above.
> #       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
> 
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
> 
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
> 
> # The strategy used for options in the default sshd_config shipped
> with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options change a
> # default value.
> 
> #Port 22
> #Protocol 2,1
> #ListenAddress 0.0.0.0
> #ListenAddress ::
> 
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
> 
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 3600
> #ServerKeyBits 768
> UseDNS no
> AddressFamily inet
> # Logging
> #obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> SyslogFacility AUTHPRIV
> #LogLevel INFO
> # Authentication:
> #LoginGraceTime 120
> #PermitRootLogin yes
> #StrictModes yes
> 
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile     .ssh/authorized_keys
> 
> # rhosts authentication should not be used
> #RhostsAuthentication no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
> # For this to work you will also need host keys in
> /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> 
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> 
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
> 
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> 
> #AFSTokenPassing no
> 
> # Kerberos TGT Passing only works with the AFS kaserver
> #KerberosTgtPassing no
> 
> # Set this to 'yes' to enable PAM keyboard-interactive authentication
> # Warning: enabling this may bypass the setting of
> 'PasswordAuthentication'
> #PAMAuthenticationViaKbdInt no
> 
> #X11Forwarding no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #KeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
> 
> #MaxStartups 10
> # no default banner path
> #Banner /some/path
> #VerifyReverseMapping no
> 
> # override default of no subsystems
> Subsystem       sftp    /usr/libexec/openssh/sftp-server

As I said, that's pretty standard.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list