SSH server login delayed

older
Re: [SLE] Is there a fix to the...

Benjamin Hornberger

22 Feb 2005 22 Feb '05

21:03

Hi all, I hope somebody can help me with the following problem -- sorry for the lengthy explanation. I have a machine running SUSE 9.2 Pro in a large research lab. It has a unique IP address, but is not directly accessible from the outside world through the lab's firewall. Instead, the lab offers SSH gateways (running Debian 3.1) to which you can log in from outside, and from there you can ssh to machines in the lab. This is as much as I know about the lab's network structure. My machine also serves as a gateway between a small private subnet and the research lab network. Now I have the problem that if I want to log onto my machine from the lab's SSH gateway, it takes 30 seconds for the SSH server to respond and prompt for the password, which is quite annoying. If I log on from the private subnet, I get the password prompt immediately. If I log on from inside the lab's network, I get the immediate response as well. If I ping my machine from the SSH gateway, I get an immediate response. If I try to log onto a different Linux machine inside the lab's network from the SSH gateway (Redhat 7.3), I get an immediate response. So it looks like it's something between my machine's SSH server and the SSH gateway's SSH client. The problem is independent of the machine's firewall settings (the same with the SUSE firewall on or off). One hint might be that: If I log onto any other Linux machine from my Windows laptop (SSH Secure Shell 3.2.9), I get a popup window with a prompt saying "Enter Password". I type my password, and I'm there. For that SUSE machine though, I get a popup saying "Enter your authentication response" and a password field. I enter the password, and then another window pops up again saying "Enter your authentication response", and OK and cancel buttons. I first have to click OK, then I'm logged on. So maybe the server expects a different authentication mechanism and falls back to password after a while? But why does the login go quickly then from any machine other than the SSH gateway? Any help is greatly appreciated! Thanks, Benjamin

Show replies by date

Sunny

22 Feb 22 Feb

21:11

New subject: [SLE] SSH server login delayed

On Tue, 22 Feb 2005 16:03:02 -0500, Benjamin Hornberger wrote:

...

Hi all,

I hope somebody can help me with the following problem -- sorry for the lengthy explanation.

I have a machine running SUSE 9.2 Pro in a large research lab. It has a unique IP address, but is not directly accessible from the outside world through the lab's firewall. Instead, the lab offers SSH gateways (running Debian 3.1) to which you can log in from outside, and from there you can ssh to machines in the lab. This is as much as I know about the lab's network structure.

My machine also serves as a gateway between a small private subnet and the research lab network.

Now I have the problem that if I want to log onto my machine from the lab's SSH gateway, it takes 30 seconds for the SSH server to respond and prompt for the password, which is quite annoying. If I log on from the private subnet, I get the password prompt immediately. If I log on from inside the lab's network, I get the immediate response as well. If I ping my machine from the SSH gateway, I get an immediate response. If I try to log onto a different Linux machine inside the lab's network from the SSH gateway (Redhat 7.3), I get an immediate response. So it looks like it's something between my machine's SSH server and the SSH gateway's SSH client.

The problem is independent of the machine's firewall settings (the same with the SUSE firewall on or off).

One hint might be that: If I log onto any other Linux machine from my Windows laptop (SSH Secure Shell 3.2.9), I get a popup window with a prompt saying "Enter Password". I type my password, and I'm there. For that SUSE machine though, I get a popup saying "Enter your authentication response" and a password field. I enter the password, and then another window pops up again saying "Enter your authentication response", and OK and cancel buttons. I first have to click OK, then I'm logged on. So maybe the server expects a different authentication mechanism and falls back to password after a while? But why does the login go quickly then from any machine other than the SSH gateway?

Any help is greatly appreciated! Thanks,

Benjamin

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

Check SuSE machines /etc/ssh/sshd_config file for entry "Protocol". Most probably it is set to something like 2,1, which means that first it tries version 2 of the protocol, and then ver. 1. Check /ect/ssh/ssh_config (note, not sshd_config) on the gateway for the same setting. There it may be set to 1,2, so it tries first to negotiate ver.1, and if fails, ver.2 Most probably this have to be the problem. Cheers Sunny -- Get Firefox http://www.spreadfirefox.com/?q=affiliates&id=10745&t=85

Benjamin Hornberger

22:59

New subject: [SLE] SSH server login delayed

At 03:11 PM 2/22/2005 -0600, Sunny wrote:

...

On Tue, 22 Feb 2005 16:03:02 -0500, Benjamin Hornberger wrote:

...
Hi all,

I hope somebody can help me with the following problem -- sorry for the lengthy explanation.

I have a machine running SUSE 9.2 Pro in a large research lab. It has a unique IP address, but is not directly accessible from the outside world through the lab's firewall. Instead, the lab offers SSH gateways (running Debian 3.1) to which you can log in from outside, and from there you can ssh to machines in the lab. This is as much as I know about the lab's network structure.

My machine also serves as a gateway between a small private subnet and the research lab network.

Now I have the problem that if I want to log onto my machine from the lab's SSH gateway, it takes 30 seconds for the SSH server to respond and prompt for the password, which is quite annoying. If I log on from the private subnet, I get the password prompt immediately. If I log on from inside the lab's network, I get the immediate response as well. If I ping my machine from the SSH gateway, I get an immediate response. If I try to log onto a different Linux machine inside the lab's network from the SSH gateway (Redhat 7.3), I get an immediate response. So it looks like it's something between my machine's SSH server and the SSH gateway's SSH client.

The problem is independent of the machine's firewall settings (the same with the SUSE firewall on or off).

One hint might be that: If I log onto any other Linux machine from my Windows laptop (SSH Secure Shell 3.2.9), I get a popup window with a prompt saying "Enter Password". I type my password, and I'm there. For that SUSE machine though, I get a popup saying "Enter your authentication response" and a password field. I enter the password, and then another window pops up again saying "Enter your authentication response", and OK and cancel buttons. I first have to click OK, then I'm logged on. So maybe the server expects a different authentication mechanism and falls back to password after a while? But why does the login go quickly then from any machine other than the SSH gateway?

Any help is greatly appreciated! Thanks,

Benjamin

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

Check SuSE machines /etc/ssh/sshd_config file for entry "Protocol". Most probably it is set to something like 2,1, which means that first it tries version 2 of the protocol, and then ver. 1. Check /ect/ssh/ssh_config (note, not sshd_config) on the gateway for the same setting. There it may be set to 1,2, so it tries first to negotiate ver.1, and if fails, ver.2 Most probably this have to be the problem.

Unfortunately, this didn't help. Any more hints? Thanks, Benjamin

Sunny

23:06

New subject: [SLE] SSH server login delayed

On Tue, 22 Feb 2005 17:59:29 -0500, Benjamin Hornberger wrote:

...

At 03:11 PM 2/22/2005 -0600, Sunny wrote:

...
On Tue, 22 Feb 2005 16:03:02 -0500, Benjamin Hornberger wrote:

...
Hi all,

I hope somebody can help me with the following problem -- sorry for the lengthy explanation.

I have a machine running SUSE 9.2 Pro in a large research lab. It has a unique IP address, but is not directly accessible from the outside world through the lab's firewall. Instead, the lab offers SSH gateways (running Debian 3.1) to which you can log in from outside, and from there you can ssh to machines in the lab. This is as much as I know about the lab's network structure.

My machine also serves as a gateway between a small private subnet and the research lab network.

Now I have the problem that if I want to log onto my machine from the lab's SSH gateway, it takes 30 seconds for the SSH server to respond and prompt for the password, which is quite annoying. If I log on from the private subnet, I get the password prompt immediately. If I log on from inside the lab's network, I get the immediate response as well. If I ping my machine from the SSH gateway, I get an immediate response. If I try to log onto a different Linux machine inside the lab's network from the SSH gateway (Redhat 7.3), I get an immediate response. So it looks like it's something between my machine's SSH server and the SSH gateway's SSH client.

The problem is independent of the machine's firewall settings (the same with the SUSE firewall on or off).

One hint might be that: If I log onto any other Linux machine from my Windows laptop (SSH Secure Shell 3.2.9), I get a popup window with a prompt saying "Enter Password". I type my password, and I'm there. For that SUSE machine though, I get a popup saying "Enter your authentication response" and a password field. I enter the password, and then another window pops up again saying "Enter your authentication response", and OK and cancel buttons. I first have to click OK, then I'm logged on. So maybe the server expects a different authentication mechanism and falls back to password after a while? But why does the login go quickly then from any machine other than the SSH gateway?

Any help is greatly appreciated! Thanks,

Benjamin

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

Check SuSE machines /etc/ssh/sshd_config file for entry "Protocol". Most probably it is set to something like 2,1, which means that first it tries version 2 of the protocol, and then ver. 1. Check /ect/ssh/ssh_config (note, not sshd_config) on the gateway for the same setting. There it may be set to 1,2, so it tries first to negotiate ver.1, and if fails, ver.2 Most probably this have to be the problem.

Unfortunately, this didn't help. Any more hints?

Thanks, Benjamin

Not really, but I would try to set the debug level of sshd on the SuSE box at the highest one and see in the log file if the delay happens internally or you should look for some networking problem. Sunny -- Get Firefox http://www.spreadfirefox.com/?q=affiliates&id=10745&t=85

Doug Currey

23:53

New subject: [SLE] SSH server login delayed

...

At 03:11 PM 2/22/2005 -0600, Sunny wrote:

...
On Tue, 22 Feb 2005 16:03:02 -0500, Benjamin Hornberger wrote:

...
Hi all,

I hope somebody can help me with the following problem -- sorry for

...

...
...
lengthy explanation.

I have a machine running SUSE 9.2 Pro in a large research lab. It has a unique IP address, but is not directly accessible from the outside world through the lab's firewall. Instead, the lab offers SSH gateways (running Debian 3.1) to which you can log in from outside, and from there you can ssh to machines in the lab. This is as much as I know about the lab's network structure.

My machine also serves as a gateway between a small private subnet and

...

...
...
research lab network.

Now I have the problem that if I want to log onto my machine from the lab's SSH gateway, it takes 30 seconds for the SSH server to respond and

...

...
...
for the password, which is quite annoying. If I log on from the

...

...
...
subnet, I get the password prompt immediately. If I log on from inside

...

...
...
lab's network, I get the immediate response as well. If I ping my machine from the SSH gateway, I get an immediate response. If I try to log onto a different Linux machine inside the lab's network from the SSH gateway (Redhat 7.3), I get an immediate response. So it looks like it's something between my machine's SSH server and the SSH gateway's SSH client.

The problem is independent of the machine's firewall settings (the same with the SUSE firewall on or off).

One hint might be that: If I log onto any other Linux machine from my Windows laptop (SSH Secure Shell 3.2.9), I get a popup window with a

...

...
...
saying "Enter Password". I type my password, and I'm there. For that SUSE machine though, I get a popup saying "Enter your authentication response" and a password field. I enter the password, and then another window

...

...
...
again saying "Enter your authentication response", and OK and cancel buttons. I first have to click OK, then I'm logged on. So maybe the server expects a different authentication mechanism and falls back to

On Tue, 22 Feb 2005 17:59:29 -0500, Benjamin Hornberger wrote the the prompt private the prompt pops up password

...

...
...
after a while? But why does the login go quickly then from any machine other than the SSH gateway?

Any help is greatly appreciated! Thanks,

Benjamin

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

Check SuSE machines /etc/ssh/sshd_config file for entry "Protocol". Most probably it is set to something like 2,1, which means that first it tries version 2 of the protocol, and then ver. 1. Check /ect/ssh/ssh_config (note, not sshd_config) on the gateway for the same setting. There it may be set to 1,2, so it tries first to negotiate ver.1, and if fails, ver.2 Most probably this have to be the problem.

Unfortunately, this didn't help. Any more hints?

Thanks, Benjamin

I think I had a similar problem. If memory serves it was do to the reverse dns not resolving correctly.

Benjamin Hornberger

23 Feb 23 Feb

00:04

New subject: [SLE] SSH server login delayed

At 06:53 PM 2/22/2005 -0500, Doug Currey wrote:

...

...
At 03:11 PM 2/22/2005 -0600, Sunny wrote:

...
On Tue, 22 Feb 2005 16:03:02 -0500, Benjamin Hornberger wrote:

...
Hi all,

I hope somebody can help me with the following problem -- sorry for

...
...
...
lengthy explanation.

I have a machine running SUSE 9.2 Pro in a large research lab. It has a unique IP address, but is not directly accessible from the outside world through the lab's firewall. Instead, the lab offers SSH gateways (running Debian 3.1) to which you can log in from outside, and from there you can ssh to machines in the lab. This is as much as I know about the lab's network structure.

My machine also serves as a gateway between a small private subnet and

...
...
...
research lab network.

Now I have the problem that if I want to log onto my machine from the lab's SSH gateway, it takes 30 seconds for the SSH server to respond and

...
...
...
for the password, which is quite annoying. If I log on from the

...
...
...
subnet, I get the password prompt immediately. If I log on from inside

...
...
...
lab's network, I get the immediate response as well. If I ping my machine from the SSH gateway, I get an immediate response. If I try to log onto a different Linux machine inside the lab's network from the SSH gateway (Redhat 7.3), I get an immediate response. So it looks like it's something between my machine's SSH server and the SSH gateway's SSH client.

The problem is independent of the machine's firewall settings (the same with the SUSE firewall on or off).

One hint might be that: If I log onto any other Linux machine from my Windows laptop (SSH Secure Shell 3.2.9), I get a popup window with a

...
...
...
saying "Enter Password". I type my password, and I'm there. For that SUSE machine though, I get a popup saying "Enter your authentication response" and a password field. I enter the password, and then another window

...
...
...
again saying "Enter your authentication response", and OK and cancel buttons. I first have to click OK, then I'm logged on. So maybe the server expects a different authentication mechanism and falls back to

On Tue, 22 Feb 2005 17:59:29 -0500, Benjamin Hornberger wrote the the prompt private the prompt pops up password

...
...
...
after a while? But why does the login go quickly then from any machine other than the SSH gateway?

Any help is greatly appreciated! Thanks,

Benjamin

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

Check SuSE machines /etc/ssh/sshd_config file for entry "Protocol". Most probably it is set to something like 2,1, which means that first it tries version 2 of the protocol, and then ver. 1. Check /ect/ssh/ssh_config (note, not sshd_config) on the gateway for the same setting. There it may be set to 1,2, so it tries first to negotiate ver.1, and if fails, ver.2 Most probably this have to be the problem.

Unfortunately, this didn't help. Any more hints?

Thanks, Benjamin

I think I had a similar problem. If memory serves it was do to the reverse dns not resolving correctly.

That doesn't seem to be the problem. DNS lookup works in both directions. Hmm... Benjamin

Michael Siefritz

00:18

New subject: [SLE] SSH server login delayed

On Tuesday 22 February 2005 16:04, Benjamin Hornberger wrote:

...

At 06:53 PM 2/22/2005 -0500, Doug Currey wrote:

...
On Tue, 22 Feb 2005 17:59:29 -0500, Benjamin Hornberger wrote

...
At 03:11 PM 2/22/2005 -0600, Sunny wrote:

...
On Tue, 22 Feb 2005 16:03:02 -0500, Benjamin Hornberger wrote:

I think I had a similar problem. If memory serves it was do to the reverse dns not resolving correctly.

That doesn't seem to be the problem. DNS lookup works in both directions. Hmm...

I still would try to set "UseDNS no" in /etc/ssh/sshd_config and reload sshd, just to make sure. Michael BTW: please trim your quotes.

Doug Currey

00:23

New subject: [SLE] SSH server login delayed

...

I still would try to set "UseDNS no" in /etc/ssh/sshd_config and reload sshd, just to make sure.

Michael

BTW: please trim your quotes.

Never noticed that UseDNS setting before.

Benjamin Hornberger

00:29

New subject: [SLE] SSH server login delayed

At 04:18 PM 2/22/2005 -0800, Michael Siefritz wrote:

...

On Tuesday 22 February 2005 16:04, Benjamin Hornberger wrote:

...
At 06:53 PM 2/22/2005 -0500, Doug Currey wrote:

...
On Tue, 22 Feb 2005 17:59:29 -0500, Benjamin Hornberger wrote

...
At 03:11 PM 2/22/2005 -0600, Sunny wrote:

...
On Tue, 22 Feb 2005 16:03:02 -0500, Benjamin Hornberger wrote:

I think I had a similar problem. If memory serves it was do to the reverse dns not resolving correctly.

That doesn't seem to be the problem. DNS lookup works in both directions. Hmm...

I still would try to set "UseDNS no" in /etc/ssh/sshd_config and reload sshd, just to make sure.

Didn't help :-(. Benjamin

Michael Siefritz

01:35

New subject: [SLE] SSH server login delayed

On Tuesday 22 February 2005 16:29, Benjamin Hornberger wrote:

...

At 04:18 PM 2/22/2005 -0800, Michael Siefritz wrote:

...
On Tuesday 22 February 2005 16:04, Benjamin Hornberger wrote:

...
At 06:53 PM 2/22/2005 -0500, Doug Currey wrote:

...
On Tue, 22 Feb 2005 17:59:29 -0500, Benjamin Hornberger wrote

...
At 03:11 PM 2/22/2005 -0600, Sunny wrote:

...
On Tue, 22 Feb 2005 16:03:02 -0500, Benjamin Hornberger wrote:

I still would try to set "UseDNS no" in /etc/ssh/sshd_config and reload sshd, just to make sure.

Didn't help :-(.

Could you stop the regular sshd daemon and start it in debug mode (sshd -ddd)? Then connect and check at what step in the process the delay occurs. Michael

Benjamin Hornberger

01:50

New subject: [SLE] SSH server login delayed

At 05:35 PM 2/22/2005 -0800, Michael Siefritz wrote:

...

Could you stop the regular sshd daemon and start it in debug mode (sshd -ddd)? Then connect and check at what step in the process the delay occurs.

host:~ # /usr/sbin/sshd -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 214 debug2: parse_server_config: config /etc/ssh/sshd_config len 214 debug1: sshd version OpenSSH_3.9p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22.

...

...
...
here trying to connect debug3: fd 4 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 7 config len 214 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 here waiting 30 sec, then typing password and being logged in. After logging out, the sshd quits. host:~ #

Thanks for your efforts, Benjamin

Michael Siefritz

03:31

New subject: [SLE] SSH server login delayed

On Tuesday 22 February 2005 17:50, Benjamin Hornberger wrote:

...

At 05:35 PM 2/22/2005 -0800, Michael Siefritz wrote:

...
Could you stop the regular sshd daemon and start it in debug mode (sshd -ddd)? Then connect and check at what step in the process the delay occurs.

host:~ # /usr/sbin/sshd -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 214 debug2: parse_server_config: config /etc/ssh/sshd_config len 214 debug1: sshd version OpenSSH_3.9p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22.

...
...
...
here trying to connect debug3: fd 4 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 7 config len 214 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 here waiting 30 sec, then typing password and being logged in. After logging out, the sshd quits. host:~ #

This looks normal. Could you also post what gets written to /var/log/messages from shortly before the delay until after you are logged in? Thanks Michael

Benjamin Hornberger

05:04

New subject: [SLE] SSH server login delayed

At 07:31 PM 2/22/2005 -0800, Michael Siefritz wrote:

...

This looks normal. Could you also post what gets written to /var/log/messages from shortly before the delay until after you are logged in?

In the following, HOST, SSH.GATEWAY.IP, HOST.EXTERNAL.IP, SSH.GATEWAY.HOSTNAME and USER are placeholders for the real values. I see that this suggests the problem lying in the DNS lookup, as suggested by Doug Currey, but "host SSH.GATEWAY.HOSTNAME" and "host SSH.GATEWAY.IP" work without problems. Line 63 in /etc/hosts.allow, which is mentioned in the log below, reads ALL : localhost : ALLOW From /var/log/messages:

...

...
...
here trying to log in as USER Feb 22 23:46:15 HOST kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:50:8d:e1:24:b3:00:0e:39:cc:34:0a:08:00 SRC=SSH.GATEWAY.IP DST=HOST.EXTERNAL.IP LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17213 DF PROTO=TCP SPT=38936 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A6FE8DDFD0000000001030300) Feb 22 23:46:26 HOST kernel: SFW2-IN-ILL-TARGET IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:29:34:5d:b2:08:00 SRC=172.16.1.3 DST=172.16.1.255 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=3975 PROTO=UDP SPT=5064 DPT=5065 LEN=24 Feb 22 23:46:35 HOST sshd: warning: /etc/hosts.allow, line 63: can't verify hostname: getaddrinfo(SSH.GATEWAY.HOSTNAME): Name or service not known Feb 22 23:46:45 HOST sshd[7752]: reverse mapping checking getaddrinfo for SSH.GATEWAY.HOSTNAME failed - POSSIBLE BREAKIN ATTEMPT! Feb 22 23:46:46 HOST kernel: SFW2-IN-ILL-TARGET IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:29:34:5d:b2:08:00 SRC=172.16.1.3 DST=172.16.1.255 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=6023 PROTO=UDP SPT=5064 DPT=5065 LEN=24 Feb 22 23:46:58 HOST sshd[7752]: Accepted keyboard-interactive/pam for USER from ::ffff:SSH.GATEWAY.IP port 38936 ssh2 Feb 22 23:46:58 HOST sshd[7753]: Accepted keyboard-interactive/pam for USER from ::ffff:SSH.GATEWAY.IP port 38936 ssh2

Thanks for your help, Benjamin

Michael Siefritz

06:22

New subject: [SLE] SSH server login delayed

On Tuesday 22 February 2005 21:04, Benjamin Hornberger wrote:

...

At 07:31 PM 2/22/2005 -0800, Michael Siefritz wrote:

...
This looks normal. Could you also post what gets written to /var/log/messages from shortly before the delay until after you are logged in?

In the following, HOST, SSH.GATEWAY.IP, HOST.EXTERNAL.IP, SSH.GATEWAY.HOSTNAME and USER are placeholders for the real values.

I see that this suggests the problem lying in the DNS lookup, as suggested by Doug Currey, but "host SSH.GATEWAY.HOSTNAME" and "host SSH.GATEWAY.IP" work without problems.

Line 63 in /etc/hosts.allow, which is mentioned in the log below, reads

ALL : localhost : ALLOW

From /var/log/messages:

...
...
...
here trying to log in as USER Feb 22 23:46:15 HOST kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:50:8d:e1:24:b3:00:0e:39:cc:34:0a:08:00 SRC=SSH.GATEWAY.IP DST=HOST.EXTERNAL.IP LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17213 DF PROTO=TCP SPT=38936 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A6FE8DDFD0000000001030300) Feb 22 23:46:26 HOST kernel: SFW2-IN-ILL-TARGET IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:29:34:5d:b2:08:00 SRC=172.16.1.3 DST=172.16.1.255 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=3975 PROTO=UDP SPT=5064 DPT=5065 LEN=24 Feb 22 23:46:35 HOST sshd: warning: /etc/hosts.allow, line 63: can't verify hostname: getaddrinfo(SSH.GATEWAY.HOSTNAME): Name or service not known Feb 22 23:46:45 HOST sshd[7752]: reverse mapping checking getaddrinfo for SSH.GATEWAY.HOSTNAME failed - POSSIBLE BREAKIN ATTEMPT! Feb 22 23:46:46 HOST kernel: SFW2-IN-ILL-TARGET IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:29:34:5d:b2:08:00 SRC=172.16.1.3 DST=172.16.1.255 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=6023 PROTO=UDP SPT=5064 DPT=5065 LEN=24 Feb 22 23:46:58 HOST sshd[7752]: Accepted keyboard-interactive/pam for USER from ::ffff:SSH.GATEWAY.IP port 38936 ssh2 Feb 22 23:46:58 HOST sshd[7753]: Accepted keyboard-interactive/pam for USER from ::ffff:SSH.GATEWAY.IP port 38936 ssh2

I'm fresh out of ideas, unfortunately. A few things I would try / play with: - ping SSH.GATEWAY.HOSTNAME - ping localhost - grep hosts /etc/nsswitch.conf - comment out line 63 in /etc/hosts.allow or replace with "ALL : ALL : ALLOW" Hopefully something will give you an idea why the name lookup fails. Michael

Mark Crean

09:09

New subject: [SLE] SSH server login delayed

Benjamin Hornberger wrote:

...

[snip]

...

Line 63 in /etc/hosts.allow, which is mentioned in the log below, reads

ALL : localhost : ALLOW

[snip]

How about replacing localhost in that line with 127.0.0.1 Prolly best to make sure that "127.0.0.1 localhost" is in your /etc/hosts files as well, and not only the ::1 ipv6 stuff. :) Fish

Josephine

07:32

New subject: [SLE] SSH server login delayed

> At 03:11 PM 2/22/2005 -0600, Sunny wrote:
> >On Tue, 22 Feb 2005 16:03:02 -0500, Benjamin Hornberger  wrote:
> > > Hi all,
> > >
> > > I hope somebody can help me with the following problem -- sorry for the
> > > lengthy explanation.
> > >
> > > I have a machine running SUSE 9.2 Pro in a large research lab. It has a
> > > unique IP address, but is not directly accessible from the outside world
> > > through the lab's firewall. Instead, the lab offers SSH gateways (running
> > > Debian 3.1) to which you can log in from outside, and from there you can
> > > ssh to machines in the lab. This is as much as I know about the lab's
> > > network structure.
> > >
> > > My machine also serves as a gateway between a small private subnet and the
> > > research lab network.
> > >
> > > Now I have the problem that if I want to log onto my machine from the lab's
> > > SSH gateway, it takes 30 seconds for the SSH server to respond and prompt
> > > for the password, which is quite annoying. If I log on from the private
> > > subnet, I get the password prompt immediately. If I log on from inside the
> > > lab's network, I get the immediate response as well. If I ping my machine
> > > from the SSH gateway, I get an immediate response. If I try to log onto a
> > > different Linux machine inside the lab's network from the SSH gateway
> > > (Redhat 7.3), I get an immediate response. So it looks like it's something
> > > between my machine's SSH server and the SSH gateway's SSH client.
> > >
> > > The problem is independent of the machine's firewall settings (the same
> > > with the SUSE firewall on or off).
> > >
> > > One hint might be that: If I log onto any other Linux machine from my
> > > Windows laptop (SSH Secure Shell 3.2.9), I get a popup window with a prompt
> > > saying "Enter Password". I type my password, and I'm there. For that SUSE
> > > machine though, I get a popup saying "Enter your authentication response"
> > > and a password field. I enter the password, and then another window pops up
> > > again saying "Enter your authentication response", and OK and cancel
> > > buttons. I first have to click OK, then I'm logged on. So maybe the server
> > > expects a different authentication mechanism and falls back to password
> > > after a while? But why does the login go quickly then from any machine
> > > other than the SSH gateway?
> > >
> > > Any help is greatly appreciated! Thanks,
> > >
> > > Benjamin
> > >
> > > --
> > > Check the headers for your unsubscription address
> > > For additional commands send e-mail to suse-linux-e-help@suse.com
> > > Also check the archives at http://lists.suse.com
> > > Please read the FAQs: suse-linux-e-faq@suse.com
> > >
> > >
> >
1. enter in your /etc/hosts file from the ssh server the ip and hostname
of the machine you try to connect from (it is a dns lookup issue)
2. enter in etc/ssh/sshd_config at VerifyReverseMapping, no.

Josephine

Benjamin Hornberger

14:08

New subject: [SLE] SSH server login delayed [SOLVED]

At 08:32 AM 2/23/2005 +0100, Josephine wrote:
> > >
>1. enter in your /etc/hosts file from the ssh server the ip and hostname
>of the machine you try to connect from (it is a dns lookup issue)

That helped. Thanks so much to all of you for your efforts!

Benjamin

Benjamin Hornberger

20:20

New subject: [SLE] SSH server login delayed [SOLVED]

At 09:08 AM 2/23/2005 -0500, Benjamin Hornberger wrote:
>At 08:32 AM 2/23/2005 +0100, Josephine wrote:
>> > >
>>1. enter in your /etc/hosts file from the ssh server the ip and hostname
>>of the machine you try to connect from (it is a dns lookup issue)
>
>That helped. Thanks so much to all of you for your efforts!

Even though the problem is basically solved, I would like to ask another 
question: entering the gateway into the SSH server's /etc/hosts solved the 
problem. However, the SSH server also runs a name server (for a small 
private subnet), and entering the gateway into the name server database 
didn't help. Any hints on that? I thought if I run a name server, all I 
need in /etc/hosts is the localhost entry.

Thanks,
Benjamin

Danny Sauer

24 Feb 24 Feb

14:29

New subject: [SLE] SSH server login delayed [SOLVED]

On Wednesday 23 February 2005 02:20 pm, Benjamin Hornberger wrote:

...

At 09:08 AM 2/23/2005 -0500, Benjamin Hornberger wrote:

...
At 08:32 AM 2/23/2005 +0100, Josephine wrote:

...
1. enter in your /etc/hosts file from the ssh server the ip and hostname of the machine you try to connect from (it is a dns lookup issue)

That helped. Thanks so much to all of you for your efforts!

Even though the problem is basically solved, I would like to ask another question: entering the gateway into the SSH server's /etc/hosts solved the problem. However, the SSH server also runs a name server (for a small private subnet), and entering the gateway into the name server database didn't help. Any hints on that? I thought if I run a name server, all I need in /etc/hosts is the localhost entry.

Do you have the gateway set to ask itself for DNS resolution? In /etc/resolv.conf, you need a "nameserver 1.2.3.4" or "nameserver 127.0.0.1" entry (where 1.2.3.4 is the local machine's IP) to know what name server to look at. You also need "hosts: files dns" in /etc/nsswitch.conf for libc to look at dns servers specified in resolv.conf. --Danny, ccing Benjamin since there have been problems with other messages getting to the list recently :(

7007

Age (days ago)

7009

Last active (days ago)

List overview

Download

18 comments

7 participants

participants (7)

Benjamin Hornberger
Danny Sauer
Doug Currey
Josephine
Mark Crean
Michael Siefritz
Sunny