|
|
#1 |
|
Triple-A Player
Join Date: Feb 2005
Location: Mass.
Posts: 100
|
SSH delayed login since switch to Tiger
Anyone else notice it takes about 30 seconds to get a password prompt then after that it works fine, no lag or delay except in the connection process. I remember i topic a while back containing ssh ways to tweak and speed it up but I am not sure where it went or if it would even apply in this situation. Any ideas?
|
|
|
|
|
|
#2 |
|
MVP
Join Date: Jan 2002
Location: Brisbane, Australia
Posts: 1,108
|
Turn off IPv6 in the network preference pane.
__________________
Douglas G. Stetner UNIX Live Free Or Die |
|
|
|
|
|
#3 |
|
Triple-A Player
Join Date: Feb 2005
Location: Mass.
Posts: 100
|
Ok i checked it, it was off. Next idea
|
|
|
|
|
|
#4 |
|
MVP
Join Date: Jan 2002
Location: Brisbane, Australia
Posts: 1,108
|
What about
VerifyReverseMapping yes in the /etc/sshd_config. This means when a connection comes in, your system tries to resolve the hostname from the IP address and see if it matches who the remote machine is saying it is.
__________________
Douglas G. Stetner UNIX Live Free Or Die |
|
|
|
|
|
#5 |
|
Prospect
Join Date: May 2005
Posts: 2
|
I'm having the same problem.
SSH-ing from my ibook to any other ssh host in the local network or the internet causes this 60 seconds delay since upgrading to tiger. After that, ssh works fine. I've started an ssh session with verbose debugging to show where the problem occurs: ---------------------------------------------------------------------- ibook:~ ralph$ ssh -vvv bender OpenSSH_3.8.1p1, OpenSSL 0.9.7b 10 Apr 2003 debug1: Reading configuration data /etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to bender [192.168.178.21] port 22. debug1: Connection established. debug1: identity file /Users/ralph/.ssh/identity type -1 debug3: Not a RSA1 key file /Users/ralph/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /Users/ralph/.ssh/id_rsa type 1 debug1: identity file /Users/ralph/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1 debug1: match: OpenSSH_3.9p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 debug3: Trying to reverse map address 192.168.178.21. --> 60 seconds delay <-- debug1: Miscellaneous failure No credentials cache found debug1: Miscellaneous failure No credentials cache found debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 128/256 debug2: bits set: 527/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /Users/ralph/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /Users/ralph/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'bender' is known and matches the RSA host key. debug1: Found key in /Users/ralph/.ssh/known_hosts:1 debug2: bits set: 515/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /Users/ralph/.ssh/identity (0x0) debug2: key: /Users/ralph/.ssh/id_rsa (0x307090) debug2: key: /Users/ralph/.ssh/id_dsa (0x0) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /Users/ralph/.ssh/identity debug3: no such identity: /Users/ralph/.ssh/identity debug1: Offering public key: /Users/ralph/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 149 debug2: input_userauth_pk_ok: fp ac:7c:b4:a4:b0:22:fc:28:82:d2:59:0a:41:9f:73:da debug3: sign_and_send_pubkey debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: ssh_session2_setup: id 0 debug2: channel 0: request pty-req debug3: tty_make_modes: ospeed 9600 debug3: tty_make_modes: ispeed 9600 debug3: tty_make_modes: 1 3 debug3: tty_make_modes: 2 28 debug3: tty_make_modes: 3 127 debug3: tty_make_modes: 4 21 debug3: tty_make_modes: 5 4 debug3: tty_make_modes: 6 255 debug3: tty_make_modes: 7 255 debug3: tty_make_modes: 8 17 debug3: tty_make_modes: 9 19 debug3: tty_make_modes: 10 26 debug3: tty_make_modes: 11 25 debug3: tty_make_modes: 12 18 debug3: tty_make_modes: 13 23 debug3: tty_make_modes: 14 22 debug3: tty_make_modes: 17 20 debug3: tty_make_modes: 18 15 debug3: tty_make_modes: 30 0 debug3: tty_make_modes: 31 0 debug3: tty_make_modes: 32 0 debug3: tty_make_modes: 33 0 debug3: tty_make_modes: 34 0 debug3: tty_make_modes: 35 0 debug3: tty_make_modes: 36 1 debug3: tty_make_modes: 38 1 debug3: tty_make_modes: 39 1 debug3: tty_make_modes: 40 0 debug3: tty_make_modes: 41 1 debug3: tty_make_modes: 50 1 debug3: tty_make_modes: 51 1 debug3: tty_make_modes: 53 1 debug3: tty_make_modes: 54 1 debug3: tty_make_modes: 55 0 debug3: tty_make_modes: 56 0 debug3: tty_make_modes: 57 0 debug3: tty_make_modes: 58 0 debug3: tty_make_modes: 59 1 debug3: tty_make_modes: 60 1 debug3: tty_make_modes: 61 1 debug3: tty_make_modes: 62 1 debug3: tty_make_modes: 70 1 debug3: tty_make_modes: 72 1 debug3: tty_make_modes: 73 0 debug3: tty_make_modes: 74 0 debug3: tty_make_modes: 75 0 debug3: tty_make_modes: 90 1 debug3: tty_make_modes: 91 1 debug3: tty_make_modes: 92 0 debug3: tty_make_modes: 93 0 debug2: channel 0: request shell debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 Last login: Tue May 10 16:54:21 2005 from ibook.futurama Bender: I ain't your loverboy Flexo, the guy you love so much. You even love anybody pretending to be him! Angleyne: Well, maybe I love you so much I love you no matter who you're pretending to be. Bender: Oh, how I wish I could believe or understand that. ralph@bender ~ $ ---------------------------------------------------------------------- For your information: bender is in my /etc/hosts file. Using an ip instead of a hostname does not change anything. Authentication is done by key exchange. Adding "VerifyReverseMapping no" to /etc/sshd_config and restarting sshd did not help. When I ssh -vvv from my Linux Box to any other box, the debug3: Trying to reverse map address 192.168.178.21. message does not turn up at all, although the /etc/ssh_config is identical on both hosts. So any help is appreciated. I ssh around a lot, and this is one thing really getting on my nerves. |
|
|
|
|
|
#6 |
|
Prospect
Join Date: May 2005
Posts: 2
|
I recently ran into a problem with reverse mapping - the sshd daemon was parsing and respecting the /etc/hosts.allow and /etc/hosts.deny files - usually used by tcpwrappers - in some cases if either of them uses a PARANOID setting (possibly others) that requires that the IP address be reverse mapped - this is independent of the sshd config file's setting (and it appears to supercede it in newer incarnations of ssh)
|
|
|
|
|
|
#7 |
|
Triple-A Player
Join Date: Oct 2003
Location: Montreal, QC
Posts: 72
|
This happens often with other unix systems when your DNS are not set properly
Take a look at /etc/resolv.conf or in System Preferences/Network |
|
|
|
|
|
#8 |
|
Prospect
Join Date: May 2005
Posts: 2
|
@ FriendlyMacLover:
You seem to be on the right path. I made some whois queries, and realized that they are as slow as the ssh connects. FTP does not seem to be affected (at least using Cyberduck). I will investigate this further when I have more time. @ mox: I've suspected the dns settings, too. Normally, my DSL-router receives a dns dynamically, and sets the dns to the router ip on my ibook via dhcp. I've manually changed /etc/resolv.conf to the dns provided by my provider, and the behaviour did not change at all. |
|
|
|
|
|
#9 |
|
Prospect
Join Date: Jun 2004
Location: Derby, UK
Posts: 12
|
I had exactly the same problem. Altered the DNS order in the network tab to use my ISP first, and then the ADSL router second.
Running 'cat /etc/hosts' shows the order as: nameserver [ISP IP] nameserver [ Router IP] Job done, works fine now. |
|
|
|
|
|
#10 | |||||||||||||||||||||||
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
|
I think you meant: cat /etc/resolv.conf |
|||||||||||||||||||||||
|
|
|
|
|
#11 |
|
Triple-A Player
Join Date: Feb 2005
Location: Mass.
Posts: 100
|
I know nada about DNS (big shock) i know it is basically a forwarding service, i use DynDns to get to my computer in case the ip changes on me. Anyway, i changed the /etc/resolv.conf so they are now switched.
Under system pref/network i have nothing in my dns spot, i never did before so i am guessing this isn't my problem, i am on the road, i will see if the switching fixed my problem. |
|
|
|
|
|
#12 | |||||||||||||||||||||||
|
Triple-A Player
Join Date: Feb 2005
Location: Mass.
Posts: 100
|
---------- This says no in mine.... |
|||||||||||||||||||||||
|
|
|
|
|
#13 |
|
Triple-A Player
Join Date: Feb 2005
Location: Mass.
Posts: 100
|
Ok it is indeed better, i did an ssh from my laptop to myself but i did it via my dns name, it took about 7 seconds, it took about 35 or so before i made the change. I have a sneaking suspicion it will resolve the lookupd service from exiting abnormally as well, but we shall see about that.
|
|
|
|
|
|
#14 |
|
Triple-A Player
Join Date: Feb 2005
Location: Mass.
Posts: 100
|
Well I guess I lied, it isn't better, from my work it still took ages to get the prompt, ah well, back to the drawing board
|
|
|
|
|
|
#15 |
|
Prospect
Join Date: Jun 2004
Location: Derby, UK
Posts: 12
|
Thank you hayne, I did indeed mean resolv.conf.
KRaven0825, Just a note. Careful which dns servers you are using to resolve addresses. Some ISP's will not allow you to access the servers if your not on their network. When your at work, ask your IT folk for their DNS server address. In the Network pref pane add the IP address in there. It will/should change /etc/resolv.conf for you. DNS resolves web addresses to their actual IP address. Not so much a forwarding service, although I understand what you mean with using DynDns. Even though you may be using the IP address to ssh too, you still need to have a correct DNS server set, or else ssh will hang on reverse mapping until it times out. Are you tring to connect from home to work, or connect to a works server once you are at work? if you run ssh -v -v -v -l (username) IP and post the output, indicating the point the connection hangs it might help to sort the problem. |
|
|
|
|
|
#16 | |||||||||||||||||||||||
|
Prospect
Join Date: Jan 2002
Posts: 22
|
CheckHostIP no
Put this in /etc/ssh_config CheckHostIP no (Note: ssh_config not sshd_config) |
|||||||||||||||||||||||
|
|
|
|
|
#17 |
|
Prospect
Join Date: Jun 2005
Location: Hsinchu
Posts: 3
|
I have exactly the same problem. But I'm not 100% sure it is caused by switching to Tiger, because at the same timeframe I also switched from using ssh1 to ssh2. There is a very big delay, ssh -vvv shows the delay is in:
debug3: Trying to reverse map address xxx.xxx.xxx.xxx. All suggestions about ssh options, sshd_config or ssh_config files don't help. The only one that works as a workaround is editting /etc/resolv.conf to use the ISP DNS directly instead of your router. Unfortunately, if you must run DHCP, your router may just hide the ISP DNS from you. Your /etc/resolv.conf then gets overwritten. In my case it alwas looks like this: nameserver 192.168.1.1 That is the LAN address of my wifi router... When I by-pass the router the delays are gone. If I switch to another router, it is also gone. So I suppose the router behaviour is part of the problem. (But perhaps only in combination with Tiger. I don't know that.) FYI: the router that gives me the problem is a Corega WLBARGP. The one I tried that worked is an ASUS WL-330g. They work slightly differently. I think the Corega gives me NAT, and inserts itself as intermediate DNS. The ASUS just passes the DHCP to the ISP, and gives back the result. BTW, my ISP is hinet.net. And they don't give me fixed IP address, so I have to use DHCP to them. So for now, the problem is not solved for me yet. But maybe the information helps others pinpointing the root-cause. |
|
|
|
|
|
#18 |
|
Prospect
Join Date: Jun 2005
Location: Hsinchu
Posts: 3
|
I found a blog describing the same problem. (In my case, the Corega router hangs on the same SRV requests).
http://www.liquidx.net/node/875 So the problem is definitely a combination of Tiger's openssh and certain routers. |
|
|
|
|
|
#19 |
|
Prospect
Join Date: Jun 2005
Location: Hsinchu
Posts: 3
|
Ok, Tiger ships with a modified openssh that tries to do too much. The workaround that works for me is to install a better one.
1. First install darwin ports from http://darwinports.opendarwin.org/getdp/ 2. Prepend /opt/local/bin to your PATH variable. For example, in .profile, add PATH=/opt/local/bin:$PATH 3. sudo ports install openssh This bypasses Tiger's openssh with one what works. |
|
|
|
|
|
#20 |
|
Prospect
Join Date: Jun 2005
Posts: 2
|
A workaround
1. edit your ~/.profile
2. ADD a line with: export PATH=/sw/bin:$PATH 3. Install ssh with fink This version reads the file ~/.ssh/ssh_config correctly. If you want your Terminal (CMD-Shift-K) recognize the ssh client : 4. open a Terminal 5. # su root 6. # cd /usr/bin 7. # mv ssh shh.apple 6. # ln -s /sw/bin/ssh ssh Maybe this is a problem with the lookupd which handles the OS X config files. Schmunk PS: You may also connect with ssh -1 server.tld, because CheckHostIP is only available in protocol version 2. But my keys were not working with -1
|
|
|
|
![]() |
|
|