View previous topic :: View next topic |
Author |
Message |
dietcokefiend n00b
Joined: 05 Apr 2006 Posts: 13
|
Posted: Wed Apr 05, 2006 2:25 am Post subject: Sshd login has massive pause between username and password |
|
|
Recently my gentoo machine (g3 ppc) has been having an odd thing happen. When you go to log into the server remotely through ssh, it connects fast, loads up "enter your username", then after you type that in, pauses for like 15 seconds. After the pause, it goes to the password entry part, and logs in normally. Nothing is bogging once you are in, and it is only that first thing that is having issues. This problem only started recently, and I can't quite figure out what happened.
I am running a standard config of ssh, with sshdfilter controlling it for anti-spam protection.
Here is the current sshd config file
Quote: | # $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
ServerKeyBits 256
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 2
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# here is the new patched ldap related tokens
# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
#UseLPK yes
#LpkLdapConf /etc/ldap.conf
#LpkServers ldap://127.0.0.4 ldap://127.0.0.3 ldap://127.0.0.1/
#LpkUserDN ou=users,dc=phear,dc=org
#LpkGroupDN ou=groups,dc=phear,dc=org
#LpkBindDN cn=Manager,dc=phear,dc=org
#LpkBindPw secret
#LpkServerGroup mail
#LpkForceTLS no
#LpkSearchTimelimit 3
#LpkBindTimelimit 3
# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server
|
Here is the current sshdfilter file
Quote: | # sshdfilter config, V1.4
# Config parser is simple, so don't try anything fancy.
# Min time (seconds) the block list is checked to remove stale entries from
# this list and iptables. Put another way, limits how often sshdfilter
# checks the IP block list for blocks that have exceeded the maxblocktime
# value. So the default of 2 hours, says, at intervals at least 2 hours
# appart, check all the IPs on the block lists and see if any have timed
# out. Simply put, it should be a fraction of maxblocktime, say 0.05
repurgetime=3600
# How long (seconds) after the last activity from an ip that it can be
# removed from iptables block list.
maxblocktime=3600
# How many password guesses of an existing user before going on the
# blocked list. Here twice what it should be, with -e -D, sshd likes to
# output failures and successes twice.
maxchances=6
# which interface to block
#interface=""
interface="-i eth1"
# Email any block events. Runs this line with some more details on stdin.
# Note perl executes this line, so be careful with escaping. Using the
# debug option might be a good idea, as would logging debug level syslog
# events (thats /etc/syslog.conf).
#mail="mail -s \"sshdfilter event for $ip, $event\" greg\@abatis.flint"
# convert any IPv6 addresses to IPv4, necessary for iptables, as only
# ip6tables knows about IPv6. Setting this option to 0 also enables
# calling ip6tables instead of iptables, so you should generally leave it
# set to 1.
ip6toip4=1
# where sshd lives
sshdpath="/usr/sbin/sshd"
# debug? !0 turns on debugging
debug=0
|
Any ideas what is causing this insane pause? Once you are logged in everything goes incredibly fast, so its not like its tasking the server or anything. |
|
Back to top |
|
|
dietcokefiend n00b
Joined: 05 Apr 2006 Posts: 13
|
Posted: Wed Apr 05, 2006 3:19 am Post subject: |
|
|
Also, just noticed this thing...
Typed "iptables -L -v" and it just hangs after first line for like 30 seconds. My friend thinks it might be something with DNS lookup, and no idea what is causing this. |
|
Back to top |
|
|
aetius Tux's lil' helper
Joined: 09 Jul 2004 Posts: 118
|
Posted: Wed Apr 05, 2006 4:24 am Post subject: |
|
|
sshd does a DNS lookup on every host that attempts to connect, looking for oddities. If the reverse lookup doesn't match the forward lookup, sshd will print a warning to the logs. If the server's name resolution is misconfigured, this can take quite a bit of time (for example, if the first DNS server in your /etc/resolv.conf isn't reachable). See the "-u" option in the sshd manpage, and note that some forms of login restrictions on sshd will force DNS lookups anyway. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Wed Apr 05, 2006 5:00 am Post subject: |
|
|
For fast DNS, use bind, rather than relying on your ISP's overloaded servers. |
|
Back to top |
|
|
GetCool Guru
Joined: 23 Nov 2003 Posts: 324 Location: Madison, Wisconsin
|
Posted: Wed Apr 05, 2006 5:46 am Post subject: |
|
|
PaulBredbury wrote: | For fast DNS, use bind, rather than relying on your ISP's overloaded servers. |
Paul, while I appreciate the guide you posted on configuring bind (I have used it in the past to get the service running properly on one of my machines), I think you tend to recommend this too often. Many users do not need to run this service, and the original poster's problem may not be related to an ISP's name servers.
I'd recommend first trying various name servers (there are public servers available to the internet; search the forums for "slow dns" for some IPs to try, and other good info on slow DNS issues) to first determine if DNS is indeed the nature of this problem. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Wed Apr 05, 2006 5:58 am Post subject: |
|
|
GetCool wrote: | and the original poster's problem may not be related to an ISP's name servers. |
Maybe not, but it sure sounds like it is, since "iptables -L -v" involves DNS lookups.
I recommend bind because it works solidly. The average PC today has no problem at all in running bind, and bind is the best solution to DNS. Bad DNS can cripple Internet interactivity. DNS should be cached, but should be cached properly - bind does that. |
|
Back to top |
|
|
dietcokefiend n00b
Joined: 05 Apr 2006 Posts: 13
|
Posted: Wed Apr 05, 2006 6:22 am Post subject: |
|
|
PaulBredbury wrote: | GetCool wrote: | and the original poster's problem may not be related to an ISP's name servers. |
Maybe not, but it sure sounds like it is, since "iptables -L -v" involves DNS lookups.
I recommend bind because it works solidly. The average PC today has no problem at all in running bind, and bind is the best solution to DNS. Bad DNS can cripple Internet interactivity. DNS should be cached, but should be cached properly - bind does that. |
I got it working switching around the dns servers with some key ones in the US instead of the roadrunner ones.
I would like the idea of bind, but it looks pretty involved to get it setup. Is there any method just to emerge it and make it "work"?
EDIT: Damn. It appears that if I set the DNS servers to ones that are not RR, logging into ssh is fine, but I can't resolve common webpages anymore. If I switch back to the road runner ones, webpages load, but ssh lags |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Wed Apr 05, 2006 6:46 am Post subject: |
|
|
dietcokefiend wrote: | Is there any method just to emerge it and make it "work"? |
This is Gentoo, we do configurations by hand here
emerge bind and check its config files. After that, it "just works". |
|
Back to top |
|
|
think4urs11 Bodhisattva
Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Wed Apr 05, 2006 7:07 am Post subject: |
|
|
UseDNS no in /etc/ssh/sshd_config should fix the login lagging in this case. _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
|
dietcokefiend n00b
Joined: 05 Apr 2006 Posts: 13
|
Posted: Wed Apr 05, 2006 8:18 am Post subject: |
|
|
Think4UrS11 wrote: | UseDNS no in /etc/ssh/sshd_config should fix the login lagging in this case. |
Tried that before and it didn't seem to make a difference. |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Wed Apr 05, 2006 11:13 am Post subject: |
|
|
dietcokefiend wrote: | Also, just noticed this thing...
Typed "iptables -L -v" and it just hangs after first line for like 30 seconds. My friend thinks it might be something with DNS lookup, and no idea what is causing this. |
iptables tries to resolve domain names. use
instead. _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
dietcokefiend n00b
Joined: 05 Apr 2006 Posts: 13
|
Posted: Fri Apr 07, 2006 6:14 am Post subject: |
|
|
Changed my key nameserver to 4.2.2.2 and all is well now |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|