Go Back   The macosxhints Forums > OS X Help Requests > Applications



Reply
 
Thread Tools Rating: Thread Rating: 5 votes, 5.00 average. Display Modes
Old 05-05-2005, 02:10 PM   #1
KRaven0825
Triple-A Player
 
Join Date: Feb 2005
Location: Mass.
Posts: 100
SSH delayed login since switch to Tiger

Anyone else notice it takes about 30 seconds to get a password prompt then after that it works fine, no lag or delay except in the connection process. I remember i topic a while back containing ssh ways to tweak and speed it up but I am not sure where it went or if it would even apply in this situation. Any ideas?
KRaven0825 is offline   Reply With Quote
Old 05-06-2005, 08:22 AM   #2
stetner
MVP
 
Join Date: Jan 2002
Location: Brisbane, Australia
Posts: 1,108
Turn off IPv6 in the network preference pane.
__________________
Douglas G. Stetner
UNIX Live Free Or Die
stetner is offline   Reply With Quote
Old 05-06-2005, 09:12 AM   #3
KRaven0825
Triple-A Player
 
Join Date: Feb 2005
Location: Mass.
Posts: 100
Ok i checked it, it was off. Next idea
KRaven0825 is offline   Reply With Quote
Old 05-07-2005, 02:40 AM   #4
stetner
MVP
 
Join Date: Jan 2002
Location: Brisbane, Australia
Posts: 1,108
What about

VerifyReverseMapping yes

in the /etc/sshd_config.

This means when a connection comes in, your system tries to resolve the hostname from the IP address and see if it matches who the remote machine is saying it is.
__________________
Douglas G. Stetner
UNIX Live Free Or Die
stetner is offline   Reply With Quote
Old 05-10-2005, 11:03 AM   #5
stifflersmom
Prospect
 
Join Date: May 2005
Posts: 2
I'm having the same problem.

SSH-ing from my ibook to any other ssh host in the local network or the internet causes this 60 seconds delay since upgrading to tiger. After that, ssh works fine.

I've started an ssh session with verbose debugging to show where the problem occurs:

----------------------------------------------------------------------
ibook:~ ralph$ ssh -vvv bender
OpenSSH_3.8.1p1, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to bender [192.168.178.21] port 22.
debug1: Connection established.
debug1: identity file /Users/ralph/.ssh/identity type -1
debug3: Not a RSA1 key file /Users/ralph/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/ralph/.ssh/id_rsa type 1
debug1: identity file /Users/ralph/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug3: Trying to reverse map address 192.168.178.21.

--> 60 seconds delay <--

debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 527/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /Users/ralph/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /Users/ralph/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'bender' is known and matches the RSA host key.
debug1: Found key in /Users/ralph/.ssh/known_hosts:1
debug2: bits set: 515/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/ralph/.ssh/identity (0x0)
debug2: key: /Users/ralph/.ssh/id_rsa (0x307090)
debug2: key: /Users/ralph/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/ralph/.ssh/identity
debug3: no such identity: /Users/ralph/.ssh/identity
debug1: Offering public key: /Users/ralph/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug2: input_userauth_pk_ok: fp ac:7c:b4:a4:b0:22:fc:28:82:d2:59:0a:41:9f:73:da
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: ssh_session2_setup: id 0
debug2: channel 0: request pty-req
debug3: tty_make_modes: ospeed 9600
debug3: tty_make_modes: ispeed 9600
debug3: tty_make_modes: 1 3
debug3: tty_make_modes: 2 28
debug3: tty_make_modes: 3 127
debug3: tty_make_modes: 4 21
debug3: tty_make_modes: 5 4
debug3: tty_make_modes: 6 255
debug3: tty_make_modes: 7 255
debug3: tty_make_modes: 8 17
debug3: tty_make_modes: 9 19
debug3: tty_make_modes: 10 26
debug3: tty_make_modes: 11 25
debug3: tty_make_modes: 12 18
debug3: tty_make_modes: 13 23
debug3: tty_make_modes: 14 22
debug3: tty_make_modes: 17 20
debug3: tty_make_modes: 18 15
debug3: tty_make_modes: 30 0
debug3: tty_make_modes: 31 0
debug3: tty_make_modes: 32 0
debug3: tty_make_modes: 33 0
debug3: tty_make_modes: 34 0
debug3: tty_make_modes: 35 0
debug3: tty_make_modes: 36 1
debug3: tty_make_modes: 38 1
debug3: tty_make_modes: 39 1
debug3: tty_make_modes: 40 0
debug3: tty_make_modes: 41 1
debug3: tty_make_modes: 50 1
debug3: tty_make_modes: 51 1
debug3: tty_make_modes: 53 1
debug3: tty_make_modes: 54 1
debug3: tty_make_modes: 55 0
debug3: tty_make_modes: 56 0
debug3: tty_make_modes: 57 0
debug3: tty_make_modes: 58 0
debug3: tty_make_modes: 59 1
debug3: tty_make_modes: 60 1
debug3: tty_make_modes: 61 1
debug3: tty_make_modes: 62 1
debug3: tty_make_modes: 70 1
debug3: tty_make_modes: 72 1
debug3: tty_make_modes: 73 0
debug3: tty_make_modes: 74 0
debug3: tty_make_modes: 75 0
debug3: tty_make_modes: 90 1
debug3: tty_make_modes: 91 1
debug3: tty_make_modes: 92 0
debug3: tty_make_modes: 93 0
debug2: channel 0: request shell
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
Last login: Tue May 10 16:54:21 2005 from ibook.futurama

Bender: I ain't your loverboy Flexo, the guy you love so much.
You even love anybody pretending to be him!
Angleyne: Well, maybe I love you so much I love you no matter
who you're pretending to be.
Bender: Oh, how I wish I could believe or understand that.

ralph@bender ~ $
----------------------------------------------------------------------

For your information: bender is in my /etc/hosts file. Using an ip instead of a hostname does not change anything.
Authentication is done by key exchange.

Adding "VerifyReverseMapping no" to /etc/sshd_config and restarting sshd did not help.

When I ssh -vvv from my Linux Box to any other box, the
debug3: Trying to reverse map address 192.168.178.21.
message does not turn up at all, although the /etc/ssh_config is identical on both hosts.

So any help is appreciated. I ssh around a lot, and this is one thing really getting on my nerves.
stifflersmom is offline   Reply With Quote
Old 05-10-2005, 07:21 PM   #6
FriendlyMacLover
Prospect
 
Join Date: May 2005
Posts: 2
I recently ran into a problem with reverse mapping - the sshd daemon was parsing and respecting the /etc/hosts.allow and /etc/hosts.deny files - usually used by tcpwrappers - in some cases if either of them uses a PARANOID setting (possibly others) that requires that the IP address be reverse mapped - this is independent of the sshd config file's setting (and it appears to supercede it in newer incarnations of ssh)
FriendlyMacLover is offline   Reply With Quote
Old 05-10-2005, 11:11 PM   #7
mox
Triple-A Player
 
Join Date: Oct 2003
Location: Montreal, QC
Posts: 72
This happens often with other unix systems when your DNS are not set properly

Take a look at /etc/resolv.conf or in System Preferences/Network
mox is offline   Reply With Quote
Old 05-11-2005, 05:25 AM   #8
stifflersmom
Prospect
 
Join Date: May 2005
Posts: 2
@ FriendlyMacLover:
You seem to be on the right path. I made some whois queries, and realized that they are as slow as the ssh connects.

FTP does not seem to be affected (at least using Cyberduck).

I will investigate this further when I have more time.

@ mox:
I've suspected the dns settings, too. Normally, my DSL-router receives a dns dynamically, and sets the dns to the router ip on my ibook via dhcp.
I've manually changed /etc/resolv.conf to the dns provided by my provider, and the behaviour did not change at all.
stifflersmom is offline   Reply With Quote
Old 05-22-2005, 06:00 PM   #9
roballen
Prospect
 
Join Date: Jun 2004
Location: Derby, UK
Posts: 12
I had exactly the same problem. Altered the DNS order in the network tab to use my ISP first, and then the ADSL router second.

Running 'cat /etc/hosts' shows the order as:
nameserver [ISP IP]
nameserver [ Router IP]

Job done, works fine now.
roballen is offline   Reply With Quote
Old 05-22-2005, 06:05 PM   #10
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
Quote:
Originally Posted by roballen
Running 'cat /etc/hosts' shows the order as

I think you meant:
cat /etc/resolv.conf
hayne is offline   Reply With Quote
Old 05-22-2005, 06:36 PM   #11
KRaven0825
Triple-A Player
 
Join Date: Feb 2005
Location: Mass.
Posts: 100
I know nada about DNS (big shock) i know it is basically a forwarding service, i use DynDns to get to my computer in case the ip changes on me. Anyway, i changed the /etc/resolv.conf so they are now switched.

Under system pref/network i have nothing in my dns spot, i never did before so i am guessing this isn't my problem, i am on the road, i will see if the switching fixed my problem.
KRaven0825 is offline   Reply With Quote
Old 05-22-2005, 06:38 PM   #12
KRaven0825
Triple-A Player
 
Join Date: Feb 2005
Location: Mass.
Posts: 100
Quote:
Originally Posted by stetner
What about

VerifyReverseMapping yes

in the /etc/sshd_config.

This means when a connection comes in, your system tries to resolve the hostname from the IP address and see if it matches who the remote machine is saying it is.


----------

This says no in mine....
KRaven0825 is offline   Reply With Quote
Old 05-22-2005, 10:39 PM   #13
KRaven0825
Triple-A Player
 
Join Date: Feb 2005
Location: Mass.
Posts: 100
Ok it is indeed better, i did an ssh from my laptop to myself but i did it via my dns name, it took about 7 seconds, it took about 35 or so before i made the change. I have a sneaking suspicion it will resolve the lookupd service from exiting abnormally as well, but we shall see about that.
KRaven0825 is offline   Reply With Quote
Old 05-23-2005, 09:21 AM   #14
KRaven0825
Triple-A Player
 
Join Date: Feb 2005
Location: Mass.
Posts: 100
Well I guess I lied, it isn't better, from my work it still took ages to get the prompt, ah well, back to the drawing board
KRaven0825 is offline   Reply With Quote
Old 05-24-2005, 07:08 PM   #15
roballen
Prospect
 
Join Date: Jun 2004
Location: Derby, UK
Posts: 12
Thank you hayne, I did indeed mean resolv.conf.

KRaven0825, Just a note. Careful which dns servers you are using to resolve addresses. Some ISP's will not allow you to access the servers if your not on their network.

When your at work, ask your IT folk for their DNS server address. In the Network pref pane add the IP address in there. It will/should change /etc/resolv.conf for you.

DNS resolves web addresses to their actual IP address. Not so much a forwarding service, although I understand what you mean with using DynDns. Even though you may be using the IP address to ssh too, you still need to have a correct DNS server set, or else ssh will hang on reverse mapping until it times out.

Are you tring to connect from home to work, or connect to a works server once you are at work?

if you run ssh -v -v -v -l (username) IP and post the output, indicating the point the connection hangs it might help to sort the problem.
roballen is offline   Reply With Quote
Old 05-27-2005, 06:53 AM   #16
kholburn
Prospect
 
Join Date: Jan 2002
Posts: 22
CheckHostIP no

Quote:
Originally Posted by KRaven0825
Anyone else notice it takes about 30 seconds to get a password prompt then after that it works fine, no lag or delay except in the connection process. I remember i topic a while back containing ssh ways to tweak and speed it up but I am not sure where it went or if it would even apply in this situation. Any ideas?

Put this in /etc/ssh_config

CheckHostIP no

(Note: ssh_config not sshd_config)
kholburn is offline   Reply With Quote
Old 06-02-2005, 11:28 AM   #17
marcelk
Prospect
 
Join Date: Jun 2005
Location: Hsinchu
Posts: 3
I have exactly the same problem. But I'm not 100% sure it is caused by switching to Tiger, because at the same timeframe I also switched from using ssh1 to ssh2. There is a very big delay, ssh -vvv shows the delay is in:

debug3: Trying to reverse map address xxx.xxx.xxx.xxx.

All suggestions about ssh options, sshd_config or ssh_config files don't help. The only one that works as a workaround is editting /etc/resolv.conf to use the ISP DNS directly instead of your router.

Unfortunately, if you must run DHCP, your router may just hide the ISP DNS from you. Your /etc/resolv.conf then gets overwritten. In my case it alwas looks like this:

nameserver 192.168.1.1

That is the LAN address of my wifi router...

When I by-pass the router the delays are gone. If I switch to another router, it is also gone.

So I suppose the router behaviour is part of the problem. (But perhaps only in combination with Tiger. I don't know that.)

FYI: the router that gives me the problem is a Corega WLBARGP. The one I tried that worked is an ASUS WL-330g. They work slightly differently. I think the Corega gives me NAT, and inserts itself as intermediate DNS. The ASUS just passes the DHCP to the ISP, and gives back the result.

BTW, my ISP is hinet.net. And they don't give me fixed IP address, so I have to use DHCP to them.

So for now, the problem is not solved for me yet. But maybe the information helps others pinpointing the root-cause.
marcelk is offline   Reply With Quote
Old 06-02-2005, 12:34 PM   #18
marcelk
Prospect
 
Join Date: Jun 2005
Location: Hsinchu
Posts: 3
I found a blog describing the same problem. (In my case, the Corega router hangs on the same SRV requests).

http://www.liquidx.net/node/875

So the problem is definitely a combination of Tiger's openssh and certain routers.
marcelk is offline   Reply With Quote
Old 06-02-2005, 01:25 PM   #19
marcelk
Prospect
 
Join Date: Jun 2005
Location: Hsinchu
Posts: 3
Ok, Tiger ships with a modified openssh that tries to do too much. The workaround that works for me is to install a better one.

1. First install darwin ports from http://darwinports.opendarwin.org/getdp/
2. Prepend /opt/local/bin to your PATH variable.
For example, in .profile, add PATH=/opt/local/bin:$PATH
3. sudo ports install openssh

This bypasses Tiger's openssh with one what works.
marcelk is offline   Reply With Quote
Old 06-02-2005, 01:52 PM   #20
schmunk
Prospect
 
Join Date: Jun 2005
Posts: 2
A workaround

1. edit your ~/.profile
2. ADD a line with:
export PATH=/sw/bin:$PATH
3. Install ssh with fink
This version reads the file ~/.ssh/ssh_config correctly.


If you want your Terminal (CMD-Shift-K) recognize the ssh client :
4. open a Terminal
5. # su root
6. # cd /usr/bin
7. # mv ssh shh.apple
6. # ln -s /sw/bin/ssh ssh


Maybe this is a problem with the lookupd which handles the OS X config files.

Schmunk

PS: You may also connect with ssh -1 server.tld, because CheckHostIP is only available in protocol version 2. But my keys were not working with -1
schmunk is offline   Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 04:44 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.