FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-02-2009, 03:25 PM
abdelkader belahcene
 
Default ssh connection takes long time

Hi,
When I connect to ssh server ( server running Redhat )* from debian* it takes a long time to give me the prompt, while I receive the prompt rapidly when I connect from slackware or solaris?
thanks for help

*
 
Old 03-02-2009, 04:18 PM
"Douglas A. Tutty"
 
Default ssh connection takes long time

On Mon, Mar 02, 2009 at 05:25:08PM +0100, abdelkader belahcene wrote:
> When I connect to ssh server ( server running Redhat ) from debian it
> takes a long time to give me the prompt, while I receive the prompt rapidly
> when I connect from slackware or solaris?

Is your debian box doing a DNS search and the slackware or solaris not?
IOW, check the ssh_config files for debian, slackware, and solaris boxes
and see what's different. Since they're all running OpenSSH, it won't
be a source diff in the executable.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-02-2009, 10:09 PM
Michael Iatrou
 
Default ssh connection takes long time

When the date was Monday 02 March 2009, abdelkader belahcene wrote:

> Hi,
> When I connect to ssh server ( server running Redhat ) from debian it
> takes a long time to give me the prompt, while I receive the prompt
> rapidly when I connect from slackware or solaris?
> thanks for help

Running ssh with -vvv option will give you a hint at which "step" you get
the delay.

--
Michael Iatrou


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-02-2009, 10:25 PM
Sam Leon
 
Default ssh connection takes long time

abdelkader belahcene wrote:

Hi,
When I connect to ssh server ( server running Redhat ) from debian it
takes a long time to give me the prompt, while I receive the prompt
rapidly when I connect from slackware or solaris?

thanks for help




See option "usedns" http://www.manpagez.com/man/5/sshd_config/ and
disable it if you want.


Sam


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-13-2009, 12:41 PM
Abdelkader Belahcene
 
Default ssh connection takes long time

Thanks for answer,
but firstly , I am use on my machine a client ssh, the sshd is running
on remote server,
secondly, i connect to server with IP address and not with a name,
so no dns needed.
thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-13-2009, 01:12 PM
randall
 
Default ssh connection takes long time

Abdelkader Belahcene wrote:

Thanks for answer,
but firstly , I am use on my machine a client ssh, the sshd is running
on remote server,
secondly, i connect to server with IP address and not with a name,
so no dns needed.
thanks


not sure what the answer was, but do keep in mind that the server will
check the domain name for your IP that you connect with,


unless you are sure that your reverse DNS (PTR records) are OK, it might
be a dns issue overall, you can disable this check by the server in

/etc/ssh/sshd_config
and add
ReverseMappingCheck no

just see if it makes a difference

--

www.songshu.org
Just another collection of nuts


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-13-2009, 02:34 PM
"Boyd Stephen Smith Jr."
 
Default ssh connection takes long time

On Friday 13 March 2009 08:41:52 Abdelkader Belahcene wrote:
> Thanks for answer,
> but firstly , I am use on my machine a client ssh, the sshd is
running
> on remote server,
> secondly, i connect to server with IP address and not with a
name,
> so no dns needed.

If you are using the OpenSSH daemon on the remote server and that
daemon is using the default configuration, it does a reverse DNS
lookup on the connecting IP before accepting the login.

IIRC, It is possible to disable this reverse DNS lookup in the
OpenSSH daemon configuration. It is not possible to disable this
lookup by adjusting the client configuration or version.

In general, you should make sure reverse DNS works for all your IPs.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 03-13-2009, 02:42 PM
randall
 
Default ssh connection takes long time

Boyd Stephen Smith Jr. wrote:

On Friday 13 March 2009 08:41:52 Abdelkader Belahcene wrote:


If you are using the OpenSSH daemon on the remote server and that
daemon is using the default configuration, it does a reverse DNS
lookup on the connecting IP before accepting the login.


IIRC, It is possible to disable this reverse DNS lookup in the
OpenSSH daemon configuration. It is not possible to disable this
lookup by adjusting the client configuration or version.


In general, you should make sure reverse DNS works for all your IPs.


i doubt that this is a sensible default, if i'm wrong please let me know

as far as i know the only other time a reverse DNS is needed would be if
you are running a mail server, and even then i notice that the number of
mail servers actually checking for PTR records is very very small.


besides how would you do this with a dynamic IP, we are talking clients
here and you never know what ISP you might use when traveling around.
also i see very little function to this, besides some extra unneeded
info in the log i don't see any added security in this feature.


but then again, i might be wrong.


--

www.songshu.org
Just another collection of nuts


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-13-2009, 03:09 PM
"Boyd Stephen Smith Jr."
 
Default ssh connection takes long time

On Friday 13 March 2009 10:42:16 randall wrote:
> Boyd Stephen Smith Jr. wrote:
> > On Friday 13 March 2009 08:41:52 Abdelkader Belahcene wrote:
> >
> >
> > If you are using the OpenSSH daemon on the remote server and that
> > daemon is using the default configuration, it does a reverse DNS
> > lookup on the connecting IP before accepting the login.
> i doubt that this is a sensible default, if i'm wrong please let me
know
>

I'm not involved in the development or packaging of OpenSSH for
Debian, so I don't know why this decision was made. It must have
some clear advantage, otherwise it wouldn't be worth the DNS lookup.
If you are really interested, I suggest you mail the package
maintainer(s) and/or upstream developer(s).

It's been the default for years though, so maybe the original reason
is forgotten. If that's true, raising the issue with the
maintainer(s) and developer(s) could cause the default to be re-
evaluated or, at least, the reasoning to be re-discovered.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 03-13-2009, 05:31 PM
Chris Davies
 
Default ssh connection takes long time

Boyd Stephen Smith Jr. wrote:
> In general, you should make sure reverse DNS works for all your IPs.

randall <randall@songshu.org> wrote:
> i doubt that this is a sensible default, if i'm wrong please let me
> know

All systems should have an rDNS record to map the number back to a
name. Ideally, that canonical name should also have a mapping back to
the number.

In the case of dynamic IP ranges, the rDNS record might map back to an
entry that mimicks the IP address itself, but tagged on to the end of
that is the organisation responsible for that IP address. For example,
10.11.12.13 might map to 13-12-11-10.dynamic.someisp.net, and it's
easy to see that "someisp.net" is in some way responsible for that IP
address. (I know you can determine IP address ranges via ARIN/RIPE/APNIC,
etc. but that is /much/ more heavyweight.)

If you don't have any rDNS entry at all, OpenSSH (amongst other subsystems
and applications) will hang until the resolver times out.

IMO the solution is not to tweak those subsystems and applications,
but to get a valid rDNS record added to the DNS.


> besides how would you do this with a dynamic IP, we are talking clients
> here and you never know what ISP you might use when traveling around.

Your client is irrelevant in this scenario. The ISP should provide rDNS
entries that map its own address space.


> also i see very little function to this, besides some extra unneeded
> info in the log i don't see any added security in this feature.

Added secuity? Probably not a lot in this case. Convenience when trying
to work out who's thumping your box again? Possibly.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 06:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org