Long delays on SSH login from an Ubuntu system
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Binary package hint: openssh-client
When trying to SSH from a freshly installed and updated Feisty system, there is a delay of several seconds (like 5-10) before the login goes through. After the login goes through all the rest of the operation is normal. I have tried to login into different systems including RHEL4, CentOS 4 and FreeBSD with the same result. Using -vvv switch to SSH I have found the following: (pasting only relevant part of the log):
debug1: identity file /home/jeld/
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug2: fd 3 setting O_NONBLOCK
debug1: Miscellaneous failure
Improper format of Kerberos configuration file
debug1: Miscellaneous failure
Improper format of Kerberos configuration file
debug1: Miscellaneous failure
Improper format of Kerberos configuration file
debug1: Miscellaneous failure
Improper format of Kerberos configuration file
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-
I have installed krb5-config and the problem went away. I suppose the solution would be to either include krb5-config with the main install, so there is a minimal config file, or recompile SSH without kerberos support.
I can confirm this. After upgrade from Ubuntu 6.06 to 7.04 I noticed some delays between invoking ssh (in the shell) and password prompt.
I do some search with Wiershark, and I could see that client key exchange init time delta from previous packet is over 10 sec., i.e:
pkt 10: SSH v2 Server: Key Exchange Init, Time delta from previous packet = 0.015022000 s.
pkt 11: Client to Server ACK, Time delta from previous packet = 0.039764000 s.
pkt 12: SSH v2 Client: Key Exchange Init, Time delta from previous packet = 10.89677000 s.
I've installed krb5-config as Dimitriy suggest, and client key exchange init time delta is reduced to 0.040810000 s. or less.
I think it is not a good idea to recomplie openssh-client without kerberos support. The better way, IMHO, is to include krb5-config package as dependency for openssh-client pkg.