Re: SSH connection pause

From: per@xxxxxxxxxxxx (Per Hedeland)
Date: Wed, 23 May 2007 21:39:43 +0000 (UTC)

In article <1179909344.731327.163870@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
theredmini@xxxxxxxxx writes:

I have a problem with an SSH server we have here, where any SSH
connections to it will take around 30 seconds before prompting the
user for a password. The most common cause of such pauses from reading
other posts would appear to be reverse lookups failing, but that
doesn't seem to be the case here.

Why don't you think so? It seems to match the symptoms perfectly.

Everything seems to go ok until the client requests the server's
protocol and SSH version. At that point, there is a pause for around
20 - 25 secs before it responds with "Remote protocol version 1.99,
remote software version OpenSSH_4.1".

The client doesn't "request" that, it's the first thing the server
sends, and it does so spontaneously. If it's waiting for a reverse DNS
lookup of the client's IP address, it won't send it until the lookup
completes or times out. You can simply telnet to port 22 on the server
and see the delay - on a properly working server you get the version
string immediately.

If not DNS, it could also be a problem with IDENT lookup - I don't think
OpenSSH's sshd has that builtin, but it's frequently built to use
libwrap, which may or may not do IDENT lookups depending on compile-
time settings and/or config (hosts.{allow,deny}). If you're simply
dropping incoming IDENT connections on the client due to firewall
config, the lookups will take a potentially long time to fail. It's
generally better to have the firewall respond with RST, or let the
connections through and the host stack will respond with RST due to
nothing listening on port 113.

--Per Hedeland
per@xxxxxxxxxxxx
.

Follow-Ups:
- Re: SSH connection pause
  - From: theredmini

References:
- SSH connection pause
  - From: theredmini

Prev by Date: Re: Sloooowwwww ssh/scp
Next by Date: Re: ssh to AIX 5.3 pauses on xauth
Previous by thread: SSH connection pause
Next by thread: Re: SSH connection pause
Index(es):
- Date
- Thread

Relevant Pages

Re: ssh disconnecting [WAS: Getting Cut-Off]
... I left an SSH connection open to my server last night, ... after unexpecteded termination of previous connections. ... >>I didn't think my connection was idle since file transfer was occuring, ...
(freebsd-questions)
Re: Port Forwarding -- Checking to be sure I understand it
... They run an ssh ... server and VNC service. ... If you want to run the tunnel over some port other than 22 (the ... restrictive firewalls that deny all incoming connections and block most ...
(comp.security.ssh)
Re: SBS 2003 IIS BASED SERVICES FAIL INTERMITTENTLY
... If I read your post correctly, you have a switch where the SBS ... Run DHCP server on your SBS, and set all client machine nics to dynamic. ... Once you have your nics configured, run the Connect to the Internet wizard, ... QUESTION1 - what is REFUSING CONNECTIONS? ...
(microsoft.public.windows.server.sbs)
Re: SBS Exchange 2003: too many "Current Sessions" opened
... So far everything is good and now I'm just monitoring my exchange. ... get the SMTP service to stop hanging in the first place. ... won't have dead connections. ... work for now until I put into production new server hardware with sbs 2003 ...
(microsoft.public.windows.server.sbs)
Re: need an efficient and secure sshd_config
... Many NAT firewalls also have a connection timeout that affects ssh ... Setting the ServerAliveInternal (or the corresponding server ... configuration option) allows persistent ssh connections through such ... which would otherwise expire idle connections. ...
(SSH)