# Sshd login has massive pause between username and password

## dietcokefiend

Recently my gentoo machine (g3 ppc) has been having an odd thing happen. When you go to log into the server remotely through ssh, it connects fast, loads up "enter your username", then after you type that in, pauses for like 15 seconds. After the pause, it goes to the password entry part, and logs in normally. Nothing is bogging once you are in, and it is only that first thing that is having issues. This problem only started recently, and I can't quite figure out what happened.

I am running a standard config of ssh, with sshdfilter controlling it for anti-spam protection. 

Here is the current sshd config file

 *Quote:*   

> #	$OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
> 
> # This is the sshd server system-wide configuration file.  See
> 
> # sshd_config(5) for more information.
> ...

 

Here is the current sshdfilter file

 *Quote:*   

> # sshdfilter config, V1.4
> 
> # Config parser is simple, so don't try anything fancy.
> 
> # Min time (seconds) the block list is checked to remove stale entries from 
> ...

 

Any ideas what is causing this insane pause? Once you are logged in everything goes incredibly fast, so its not like its tasking the server or anything.

----------

## dietcokefiend

Also, just noticed this thing... 

Typed "iptables -L -v" and it just hangs after first line for like 30 seconds. My friend thinks it might be something with DNS lookup, and no idea what is causing this.

----------

## aetius

sshd does a DNS lookup on every host that attempts to connect, looking for oddities.  If the reverse lookup doesn't match the forward lookup, sshd will print a warning to the logs.  If the server's name resolution is misconfigured, this can take quite a bit of time (for example, if the first DNS server in your /etc/resolv.conf isn't reachable).  See the "-u" option in the sshd manpage, and note that some forms of login restrictions on sshd will force DNS lookups anyway.

----------

## PaulBredbury

For fast DNS, use bind, rather than relying on your ISP's overloaded servers.

----------

## GetCool

 *PaulBredbury wrote:*   

> For fast DNS, use bind, rather than relying on your ISP's overloaded servers.

 

Paul, while I appreciate the guide you posted on configuring bind (I have used it in the past to get the service running properly on one of my machines), I think you tend to recommend this too often.  Many users do not need to run this service, and the original poster's problem may not be related to an ISP's name servers.

I'd recommend first trying various name servers (there are public servers available to the internet; search the forums for "slow dns" for some IPs to try, and other good info on slow DNS issues) to first determine if DNS is indeed the nature of this problem.

----------

## PaulBredbury

 *GetCool wrote:*   

> and the original poster's problem may not be related to an ISP's name servers.

 

Maybe not, but it sure sounds like it is, since "iptables -L -v" involves DNS lookups.

I recommend bind because it works solidly. The average PC today has no problem at all in running bind, and bind is the best solution to DNS. Bad DNS can cripple Internet interactivity. DNS should be cached, but should be cached properly - bind does that.

----------

## dietcokefiend

 *PaulBredbury wrote:*   

>  *GetCool wrote:*   and the original poster's problem may not be related to an ISP's name servers. 
> 
> Maybe not, but it sure sounds like it is, since "iptables -L -v" involves DNS lookups.
> 
> I recommend bind because it works solidly. The average PC today has no problem at all in running bind, and bind is the best solution to DNS. Bad DNS can cripple Internet interactivity. DNS should be cached, but should be cached properly - bind does that.

 

I got it working switching around the dns servers with some key ones in the US instead of the roadrunner ones.

I would like the idea of bind, but it looks pretty involved to get it setup. Is there any method just to emerge it and make it "work"?

EDIT: Damn. It appears that if I set the DNS servers to ones that are not RR, logging into ssh is fine, but I can't resolve common webpages anymore. If I switch back to the road runner ones, webpages load, but ssh lags  :Sad: 

----------

## PaulBredbury

 *dietcokefiend wrote:*   

> Is there any method just to emerge it and make it "work"?

 

This is Gentoo, we do configurations by hand here  :Wink: 

emerge bind and check its config files. After that, it "just works".

----------

## think4urs11

UseDNS  no  in /etc/ssh/sshd_config should fix the login lagging in this case.

----------

## dietcokefiend

 *Think4UrS11 wrote:*   

> UseDNS  no  in /etc/ssh/sshd_config should fix the login lagging in this case.

 

Tried that before and it didn't seem to make a difference.

----------

## BlinkEye

 *dietcokefiend wrote:*   

> Also, just noticed this thing... 
> 
> Typed "iptables -L -v" and it just hangs after first line for like 30 seconds. My friend thinks it might be something with DNS lookup, and no idea what is causing this.

 

iptables tries to resolve domain names. use 

```
iptables -Lvn
```

instead.

----------

## dietcokefiend

Changed my key nameserver to 4.2.2.2 and all is well now  :Smile: 

----------

