GSSAPIAuthentication slows down ssh

Bug #96472 reported by Sandeep Raja Rao on 2007-03-26
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Undecided
Unassigned
Nominated for Feisty by Chris Malton

Bug Description

I never used to get this debug1: error previously. After upgrading I am getting.

Also ssh is now slow.

sandeep@star:~$ ssh root@10.0.0.25 -v
OpenSSH_4.3p2 Debian-8ubuntu1, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.0.0.25 [10.0.0.25] port 22.
debug1: Connection established.
debug1: identity file /home/sandeep/.ssh/identity type -1
debug1: identity file /home/sandeep/.ssh/id_rsa type -1
debug1: identity file /home/sandeep/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1
ICE default IO error handler doing an exit(), pid = 8211, errno = 11
ICE default IO error handler doing an exit(), pid = 8366, errno = 11
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.0.0.25' is known and matches the RSA host key.
debug1: Found key in /home/sandeep/.ssh/known_hosts:27
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

Brian Murray (brian-murray) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. What is the fully qualified domain name of 10.0.0.25? Thanks in advance.

Changed in openssh:
assignee: nobody → brian-murray
status: Unconfirmed → Needs Info

servepath is the fully qualified name of 10.0.0.25.

On 3/28/07, Brian Murray <email address hidden> wrote:
>
> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. What is the fully qualified domain name of 10.0.0.25? Thanks in
> advance.
>
> ** Changed in: Ubuntu
> Sourcepackagename: None => openssh
>
> ** Changed in: openssh (Ubuntu)
> Assignee: (unassigned) => Brian Murray
> Status: Unconfirmed => Needs Info
>
> --
> ssh and delay
> https://launchpad.net/bugs/96472
>

I just noticed the problem as well. There is about 5 seconds delay when ssh to a local server. After changing "GSSAPIAuthentication yes" to "GSSAPIAuthentication no" in /etc/ssh/ssh_config, ssh login is almost instantaneous.

wenzhuo@thinkpad:~$ ssh -v panda
OpenSSH_4.3p2 Debian-8ubuntu1, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /home/wenzhuo/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to panda [172.16.10.1] port 22.
debug1: Connection established.
debug1: identity file /home/wenzhuo/.ssh/identity type -1
debug1: identity file /home/wenzhuo/.ssh/id_rsa type -1
debug1: identity file /home/wenzhuo/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2p1 Debian-7ubuntu3.1
debug1: match: OpenSSH_4.2p1 Debian-7ubuntu3.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1
debug1: An invalid name was supplied
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: An invalid name was supplied
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'panda' is known and matches the RSA host key.
debug1: Found key in /home/wenzhuo/.ssh/known_hosts:104
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/wenzhuo/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Linux panda 2.6.15-28-686 #1 SMP PREEMPT Thu Feb 1 16:14:07 UTC 2007 i686 GNU/Linux

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Apr 2 13:30:48 2007 from 172.16.10.32

Brian Murray (brian-murray) wrote :

Sandeep servepath is only the hostname. A fully qualified domain name would be something like bugs.launchpad.net. Wenzhuo what is the fully qualified domain name of the host you are connecting to? Thanks again everyone.

Wenzhuo Zhang (wenzhuo) wrote :

panda.zhmail.com, it's a machine on the same LAN as thinkpad. I run dnscache on thinkpad, and the TTL of panda.zhmail.com is 2 days, and I put "172.16.10.32 thinkpad" in panda:/etc/hosts, so the delay was not caused by DNS resolving. Considering that the delay occured as ssh printed out the following warning message:

-----------------------------------------------------------
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: An invalid name was supplied
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error
-----------------------------------------------------------

it must have been introduced by the "GSSAPIAuthentication yes" parameter in ssh_config. Since average users don't use Kerberos, I think the parameter should defaults to "no".

Brian Murray (brian-murray) wrote :

I can confirm that changing "GSSAPIAuthentication" to "no" does make ssh faster and removes the 'debug1: An invalid name was supplied' error messages.

Changed in openssh:
assignee: brian-murray → nobody
status: Needs Info → Confirmed

Thanks for the solution.

I should have registered with the mail id <email address hidden> which i check
regularly.

Should find out how to update profile.

Thanks anyway.

Sandeep

On 4/4/07, Brian Murray <email address hidden> wrote:
>
> I can confirm that changing "GSSAPIAuthentication" to "no" does make ssh
> faster and removes the 'debug1: An invalid name was supplied' error
> messages.
>
> ** Changed in: openssh (Ubuntu)
> Assignee: Brian Murray => (unassigned)
> Status: Needs Info => Confirmed
>
> ** Summary changed:
>
> - ssh and delay
> + GSSAPIAuthentication slows down ssh
>
> --
> GSSAPIAuthentication slows down ssh
> https://bugs.launchpad.net/bugs/96472
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Chris Malton (chrism-cjsoftuk) wrote :

Confirmed here as well.

Delays of up to 3 minutes or more.

Please fix.

Ryan (ubuntu-draziw) wrote :

The change fixes the delay, and it is odd that it was set to yes in the default ubuntu config since the yes setting conflicts with the man page
-
     GSSAPIAuthentication
             Specifies whether user authentication based on GSSAPI is allowed. The default is “no”. Note that this option applies to
             protocol version 2 only.
-

Ryan wrote:
> *** This bug is a duplicate of bug 84899 ***
> https://bugs.launchpad.net/bugs/84899
>
> The change fixes the delay, and it is odd that it was set to yes in the default ubuntu config since the yes setting conflicts with the man page
> -
> GSSAPIAuthentication
> Specifies whether user authentication based on GSSAPI is allowed. The default is “no”. Note that this option applies to
> protocol version 2 only.

There is no conflict. You misunderstood what default means. It just
means if you don't explicitly specify GSSAPIAuthentication in ssh_config,
it defaults to "no". But, the openssh package maintainer decided to
specify "GSSAPIAuthentication yes" for some unknown reason.

On a desktop on the same LAN, GSSAPIAuthentication does not introduce
noticeable delay. I have yet to investigate why.

Wenzhuo

Andrey Nauman (andrey-nauman) wrote :

Confirmed.
Experiensing about 10 second delay doing just ssh to my local home network's router (ssh root@10.0.0.1). Commenting out GSSAPIAuthentication eliminated the issue. Was VERY anniying.
Only Fiesty affected. There was no problem on 6.10.

==================
...
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
A parameter was malformed
Validation error
...

  • unnamed Edit (839 bytes, text/html; charset = "iso-8859-1")

Sandeep Rao wants you to join Yaari!

Is Sandeep your friend?

<a href="http://yaari.com/?controller=user&action=mailregister&friend=1&sign=YaariLSO535HSN582GUM729TGL363">Yes, Sandeep is my friend!</a> <a href="http://yaari.com/?controller=user&action=mailregister&friend=0&sign=YaariLSO535HSN582GUM729TGL363">No, Sandeep isn't my friend.</a>

Please respond or Sandeep may think you said no :(

Thanks,
The Yaari Team
____
If you prefer not to receive this email tell us <a href="http://yaari.com/?controller=absn&action=addoptout&<email address hidden>">here</a>. If you have any concerns
regarding the content of this message, please email <email address hidden>.
Yaari LLC, 358 Angier Ave, Atlanta, GA 30312

YaariLSO535HSN582GUM729TGL363

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments