SSHD suddenly takes SIX MINUTES to authenticate

From: Ralph Dratman (ralph@maxsoft.com)
Date: 02/01/03


Date: Fri, 31 Jan 2003 18:09:18 -0500
From: Ralph Dratman <ralph@maxsoft.com>
To: freebsd-security@freebsd.org

Suddenly I cannot SSH to one of my FreeBSD servers. This is true from
every SSH client on every computer I've tried. My sshd setup had
worked fine for several years until just yesterday. I am now getting
"Timeout before authentication" errors in the system log. I can SSH
normally to other hosts.

On this host I am running FreeBSD 4.3.

For testing, I killed the running sshd task, then started a new one
using the -d (debug) switch. Now if I wait long enough I eventually
get logged in. Can anyone help me figure out what the problem might
be?

Following is the sshd console output showing a VERY slow login
attempt - it took about six minutes to connect! (I'm guessing the
debug switch turns off timeouts.)

Also after the long delay, the client screen says:

debug: krb5_cleanup_proc() called.

Thanks in advance for any suggestions.

----------------------------------

root@kq9 Fri Jan 31 17:07:52 /etc/ssh#/usr/sbin/sshd -d
debug: sshd version OpenSSH_2.2.0
debug: read DSA private key done
debug: Bind to port 22 on ::.
Server listening on :: port 22.
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from router.dratman.com port 4656
Connection from 192.168.1.1 port 4656
debug: Client protocol version 2.0; client software version PuTTY-Release-0.53b
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-1.99-OpenSSH_2.2.0
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug: got kexinit: ssh-rsa,ssh-dss
debug: got kexinit:
aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,rijn
dael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc
debug: got kexinit:
aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,rijn
dael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc
debug: got kexinit: hmac-sha1,hmac-md5,none
debug: got kexinit: hmac-sha1,hmac-md5,none
debug: got kexinit: none,zlib,none
debug: got kexinit: none,zlib,none
debug: got kexinit:
debug: got kexinit:
debug: first kex follow: 0
debug: reserved: 0
debug: done
debug: kex: client->server blowfish-cbc hmac-sha1 none
debug: kex: server->client blowfish-cbc hmac-sha1 none
debug: Wait SSH2_MSG_KEXDH_INIT.
debug: bits set: 514/1024
debug: bits set: 529/1024
debug: sig size 20 20
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: userauth-request for user rd service ssh-connection method none
Failed none for rd from 192.168.1.1 port 4656 ssh2
debug: userauth-request for user rd service ssh-connection method password
Accepted password for rd from 192.168.1.1 port 4656 ssh2
debug: Entering interactive session for SSH2.
debug: server_init_dispatch_20
debug: channel_input_open: ctype session rchan 256 win 16384 max 16384
debug: open session
debug: channel 0: new [server-session]
debug: session_new: init
debug: session_new: session 0
debug: session_open: channel 0
debug: session_open: session 0: link with channel 0
debug: confirm session
debug: callback start
debug: session_by_channel: session 0 channel 0
debug: session_input_channel_req: session 0 channel 0 request pty-req reply 1
debug: session_pty_req: session 0 alloc /dev/ttyp1
debug: callback done
debug: callback start
debug: session_by_channel: session 0 channel 0
debug: session_input_channel_req: session 0 channel 0 request shell reply 1
debug: no set_nonblock for tty fd 4
debug: Setting controlling tty using TIOCSCTTY.
debug: no set_nonblock for tty fd 3
debug: callback done
debug: channel 0: rcvd adjust 59
debug: channel 0: rcvd adjust 62
debug: channel 0: rcvd adjust 69
debug: channel 0: rcvd adjust 64
debug: channel 0: rcvd adjust 2
debug: channel 0: rcvd adjust 21
debug: channel 0: rcvd adjust 2
debug: channel 0: rcvd adjust 35
debug: channel 0: rcvd adjust 14
debug: channel 0: rcvd adjust 108
debug: channel 0: rcvd adjust 21
debug: channel 0: rcvd adjust 15
debug: channel 0: rcvd adjust 24
debug: channel 0: rcvd adjust 11
debug: channel 0: rcvd adjust 14
debug: channel 0: rcvd adjust 116
debug: channel 0: rcvd adjust 29
debug: channel 0: rcvd adjust 2
debug: channel 0: rcvd adjust 29

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Net::SSH::Perl slower than expected
    ... looks like every time I use the 'cmd' method, it tries to open a new ... Is there a way of leaving a channel open? ... Enabling debug is good, but are you sure the slowness is comming from ... print scalar localtime before/after each step in the process? ...
    (comp.lang.perl.modules)
  • Re: How to setup a 1394 debugging session with windows 7
    ... Options" button Here u will find the debug setting options. ... Select some channel number, I generally use 1. ... The first thing I tried was local debugging but it wasnt working and after ...
    (microsoft.public.development.device.drivers)
  • Re: How to setup a 1394 debugging session with windows 7
    ... Options" button Here u will find the debug setting options. ... Select some channel number, I generally use 1. ... The first thing I tried was local debugging but it wasnt working and after ...
    (microsoft.public.development.device.drivers)
  • [Newbie] OpenSSH very slow
    ... OpenSSH_2.5.1 NetBSD_Secure_Shell-20010614, SSH protocols 1.5/2.0, OpenSSL ... debug: Rhosts Authentication disabled, originating port will not be trusted. ... debug: send KEXINIT ...
    (comp.security.ssh)
  • SSH2 host auth
    ... We were using ssh1 protocol with host based authentication. ... We can't found any information at sshd debug: ... Server listening on:: port 22. ... debug: send KEXINIT ...
    (FreeBSD-Security)