Re: SSH connection pause

Thanks for your response Per, please see my comments inserted below...

On May 23, 10:39 pm, p...@xxxxxxxxxxxx (Per Hedeland) wrote:
In article <1179909344.731327.163...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

theredm...@xxxxxxxxx writes:

I have a problem with an SSH server we have here, where any SSH
connections to it will take around 30 seconds before prompting the
user for a password. The most common cause of such pauses from reading
other posts would appear to be reverse lookups failing, but that
doesn't seem to be the case here.

Why don't you think so? It seems to match the symptoms perfectly.

Several reasons. DNS was my first port of call when I noticed this
problem, I spent a while checking that everything was setup correctly
and confirmed that I can do DNS lookups and reverse lookups either way
from client to server or vice-versa. Also, from other posts I've read
about reverse lookups causing the connection to hang, the hang appears
to occur at a different point in the connection, according to the
debug output (though I concede that it could potentialy occur at
various points). I tried an ssh connection from the server to
127.0.0.1, which also resulted in the connection delay.


Everything seems to go ok until the client requests the server's
protocol and SSH version. At that point, there is a pause for around
20 - 25 secs before it responds with "Remote protocol version 1.99,
remote software version OpenSSH_4.1".

The client doesn't "request" that, it's the first thing the server
sends, and it does so spontaneously. If it's waiting for a reverse DNS
lookup of the client's IP address, it won't send it until the lookup
completes or times out. You can simply telnet to port 22 on the server
and see the delay - on a properly working server you get the version
string immediately.

Interesting. I'd thought that the string was requested by the client
due to the kread in the truss output, which hangs for a while,
followed by the response from the server. I tried your suggestion of
telneting on port 22, which produced the following output (server
names changed):

[root@myclient]:/# telnet mysshserver 22
Trying...
Connected to mysshserver.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.1

This confirms your suggestion that the protocol/version string is sent
by the server un-prompted. The SSH version string does take a similar
amount of time to appear (around 20-25 secs), suggesting that your
reverse lookup diagnosis is correct. This puzzles me, as I've checked
and confirmed that the reverse lookup is working.


If not DNS, it could also be a problem with IDENT lookup - I don't think
OpenSSH's sshd has that builtin, but it's frequently built to use
libwrap, which may or may not do IDENT lookups depending on compile-
time settings and/or config (hosts.{allow,deny}). If you're simply
dropping incoming IDENT connections on the client due to firewall
config, the lookups will take a potentially long time to fail. It's
generally better to have the firewall respond with RST, or let the
connections through and the host stack will respond with RST due to
nothing listening on port 113.


This isn't something that I've yet considered. The OpenSSH install on
this server is an out-of-the-box pre-compiled version from IBM and is
identical to the version that is running without the same problem on
an apparently identical server. I've no idea whether IDENT would be
enabled in this build, but it's something for me to look into, so
thanks for the suggestion. For info, both the client and server are
behind the firewall so there is no firewall in between the two servers
and hence nothing should be being blocked. Also, we are not using
hosts.allow/deny files. For info, a telnet to the server on port 113
results in a failed connection and netstat shows nothing listening on
port 113 on the server. The same is the case for the other server that
is working properly though.

--Per Hedeland
p...@xxxxxxxxxxxx


Cheers,
Neil

.

Relevant Pages

  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • RE: VBscript Error on SBS2k3
    ... DHCP Server turned of SonicWALL with VPN Pass through request for IP to ... the problem should be caused by the 4125 port. ... > | Accessories and Communications and Remote Desktop Connection? ... > | 2.In Internet Explorer on the workstation you are connecting from, ...
    (microsoft.public.windows.server.sbs)
  • Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
    ... That's the problem tunneling (port forwarding) solves. ... >>can't get past the client firewall. ... > I don't understand why the server would be making the ... server initiates another connection to the client -- in this ...
    (Debian-User)
  • Re: Can not access Web and FTP sites from Internet
    ... your IP Configuration on the Server is correctly. ... Connecting To 12.208.215.87...Could not open connection to the host, ... 1> From the result, we can see the telnet failed, which means the router ... does not forward Port 443 to SBS Server. ...
    (microsoft.public.windows.server.sbs)