Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Sshd login has massive pause between username and password
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dietcokefiend
n00b
n00b


Joined: 05 Apr 2006
Posts: 13

PostPosted: Wed Apr 05, 2006 2:25 am    Post subject: Sshd login has massive pause between username and password Reply with quote

Recently my gentoo machine (g3 ppc) has been having an odd thing happen. When you go to log into the server remotely through ssh, it connects fast, loads up "enter your username", then after you type that in, pauses for like 15 seconds. After the pause, it goes to the password entry part, and logs in normally. Nothing is bogging once you are in, and it is only that first thing that is having issues. This problem only started recently, and I can't quite figure out what happened.

I am running a standard config of ssh, with sshdfilter controlling it for anti-spam protection.

Here is the current sshd config file

Quote:
# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
ServerKeyBits 256

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 2

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# here is the new patched ldap related tokens
# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
#UseLPK yes
#LpkLdapConf /etc/ldap.conf
#LpkServers ldap://127.0.0.4 ldap://127.0.0.3 ldap://127.0.0.1/
#LpkUserDN ou=users,dc=phear,dc=org
#LpkGroupDN ou=groups,dc=phear,dc=org
#LpkBindDN cn=Manager,dc=phear,dc=org
#LpkBindPw secret
#LpkServerGroup mail
#LpkForceTLS no
#LpkSearchTimelimit 3
#LpkBindTimelimit 3

# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server


Here is the current sshdfilter file

Quote:
# sshdfilter config, V1.4
# Config parser is simple, so don't try anything fancy.

# Min time (seconds) the block list is checked to remove stale entries from
# this list and iptables. Put another way, limits how often sshdfilter
# checks the IP block list for blocks that have exceeded the maxblocktime
# value. So the default of 2 hours, says, at intervals at least 2 hours
# appart, check all the IPs on the block lists and see if any have timed
# out. Simply put, it should be a fraction of maxblocktime, say 0.05
repurgetime=3600

# How long (seconds) after the last activity from an ip that it can be
# removed from iptables block list.
maxblocktime=3600

# How many password guesses of an existing user before going on the
# blocked list. Here twice what it should be, with -e -D, sshd likes to
# output failures and successes twice.
maxchances=6

# which interface to block
#interface=""
interface="-i eth1"

# Email any block events. Runs this line with some more details on stdin.
# Note perl executes this line, so be careful with escaping. Using the
# debug option might be a good idea, as would logging debug level syslog
# events (thats /etc/syslog.conf).
#mail="mail -s \"sshdfilter event for $ip, $event\" greg\@abatis.flint"

# convert any IPv6 addresses to IPv4, necessary for iptables, as only
# ip6tables knows about IPv6. Setting this option to 0 also enables
# calling ip6tables instead of iptables, so you should generally leave it
# set to 1.
ip6toip4=1

# where sshd lives
sshdpath="/usr/sbin/sshd"

# debug? !0 turns on debugging
debug=0



Any ideas what is causing this insane pause? Once you are logged in everything goes incredibly fast, so its not like its tasking the server or anything.
Back to top
View user's profile Send private message
dietcokefiend
n00b
n00b


Joined: 05 Apr 2006
Posts: 13

PostPosted: Wed Apr 05, 2006 3:19 am    Post subject: Reply with quote

Also, just noticed this thing...

Typed "iptables -L -v" and it just hangs after first line for like 30 seconds. My friend thinks it might be something with DNS lookup, and no idea what is causing this.
Back to top
View user's profile Send private message
aetius
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jul 2004
Posts: 118

PostPosted: Wed Apr 05, 2006 4:24 am    Post subject: Reply with quote

sshd does a DNS lookup on every host that attempts to connect, looking for oddities. If the reverse lookup doesn't match the forward lookup, sshd will print a warning to the logs. If the server's name resolution is misconfigured, this can take quite a bit of time (for example, if the first DNS server in your /etc/resolv.conf isn't reachable). See the "-u" option in the sshd manpage, and note that some forms of login restrictions on sshd will force DNS lookups anyway.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Wed Apr 05, 2006 5:00 am    Post subject: Reply with quote

For fast DNS, use bind, rather than relying on your ISP's overloaded servers.
Back to top
View user's profile Send private message
GetCool
Guru
Guru


Joined: 23 Nov 2003
Posts: 324
Location: Madison, Wisconsin

PostPosted: Wed Apr 05, 2006 5:46 am    Post subject: Reply with quote

PaulBredbury wrote:
For fast DNS, use bind, rather than relying on your ISP's overloaded servers.


Paul, while I appreciate the guide you posted on configuring bind (I have used it in the past to get the service running properly on one of my machines), I think you tend to recommend this too often. Many users do not need to run this service, and the original poster's problem may not be related to an ISP's name servers.

I'd recommend first trying various name servers (there are public servers available to the internet; search the forums for "slow dns" for some IPs to try, and other good info on slow DNS issues) to first determine if DNS is indeed the nature of this problem.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Wed Apr 05, 2006 5:58 am    Post subject: Reply with quote

GetCool wrote:
and the original poster's problem may not be related to an ISP's name servers.

Maybe not, but it sure sounds like it is, since "iptables -L -v" involves DNS lookups.

I recommend bind because it works solidly. The average PC today has no problem at all in running bind, and bind is the best solution to DNS. Bad DNS can cripple Internet interactivity. DNS should be cached, but should be cached properly - bind does that.
Back to top
View user's profile Send private message
dietcokefiend
n00b
n00b


Joined: 05 Apr 2006
Posts: 13

PostPosted: Wed Apr 05, 2006 6:22 am    Post subject: Reply with quote

PaulBredbury wrote:
GetCool wrote:
and the original poster's problem may not be related to an ISP's name servers.

Maybe not, but it sure sounds like it is, since "iptables -L -v" involves DNS lookups.

I recommend bind because it works solidly. The average PC today has no problem at all in running bind, and bind is the best solution to DNS. Bad DNS can cripple Internet interactivity. DNS should be cached, but should be cached properly - bind does that.


I got it working switching around the dns servers with some key ones in the US instead of the roadrunner ones.

I would like the idea of bind, but it looks pretty involved to get it setup. Is there any method just to emerge it and make it "work"?

EDIT: Damn. It appears that if I set the DNS servers to ones that are not RR, logging into ssh is fine, but I can't resolve common webpages anymore. If I switch back to the road runner ones, webpages load, but ssh lags :(
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Wed Apr 05, 2006 6:46 am    Post subject: Reply with quote

dietcokefiend wrote:
Is there any method just to emerge it and make it "work"?

This is Gentoo, we do configurations by hand here :wink:

emerge bind and check its config files. After that, it "just works".
Back to top
View user's profile Send private message
think4urs11
Bodhisattva
Bodhisattva


Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud

PostPosted: Wed Apr 05, 2006 7:07 am    Post subject: Reply with quote

UseDNS no in /etc/ssh/sshd_config should fix the login lagging in this case.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself
Back to top
View user's profile Send private message
dietcokefiend
n00b
n00b


Joined: 05 Apr 2006
Posts: 13

PostPosted: Wed Apr 05, 2006 8:18 am    Post subject: Reply with quote

Think4UrS11 wrote:
UseDNS no in /etc/ssh/sshd_config should fix the login lagging in this case.


Tried that before and it didn't seem to make a difference.
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Wed Apr 05, 2006 11:13 am    Post subject: Reply with quote

dietcokefiend wrote:
Also, just noticed this thing...

Typed "iptables -L -v" and it just hangs after first line for like 30 seconds. My friend thinks it might be something with DNS lookup, and no idea what is causing this.


iptables tries to resolve domain names. use
Code:
iptables -Lvn

instead.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
dietcokefiend
n00b
n00b


Joined: 05 Apr 2006
Posts: 13

PostPosted: Fri Apr 07, 2006 6:14 am    Post subject: Reply with quote

Changed my key nameserver to 4.2.2.2 and all is well now :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum