# ssh is slow? How to speedup?

## RobinVossen

Hello, you all helped me a lot already. This is really a great comunity and Id wish I could help you guys aswell.

But ok, enough for the but kissing now lets get down the Business..

My SSH is terible slow and I have no idea why.

Only the connecting is the problem it takes like 2~3 minutes.. And well the box is 0.5milisec away for eachother

I tryed diffrent Chippers and well I just cant find a way to really speed things up. 

I have the USE-Flags: pam and tcpd and Id like to know what the flags X, chroot and skey do. But thats not my current question.

I just really like to know how to speed it up. Or WHY it is that slow..

Ping to the box takes: 0.070/0.075/0.100/0.015 ms so as you see thats low..

The Box (ssh server) has 501 MB RAM free and has minimal tasks running::

htop gives me:

```

init [3]

/usr/sbin/sshd

vzctl: pts/0

-bash

htop

```

So, well what can be the problem?

How to fix?

Cheers,

Robin

----------

## JeliJami

Try to find out where the ssh connections stalls; use the -v option:

```
# man ssh

..

     -v      Verbose mode.  Causes ssh to print debugging messages about its

             progress.  This is helpful in debugging connection, authentica-

             tion, and configuration problems.  Multiple -v options increase

             the verbosity.  The maximum is 3.

..

```

Some possibilities:

Disable DNS lookup on the ssh server

```
# cat /etc/ssh/sshd_config

..

UseDNS no

..
```

If you don't use ldap, make sure GSS is disabled, in both server config and client config:

```
# cat /etc/ssh/ssh(d)_config

..

GSSAPIAuthentication no

..

```

Maybe you can disable PAM altogether?

```
# cat /etc/ssh/sshd_config

..

UsePAM no

..
```

----------

## RobinVossen

Thanks for the -v Flag I found that it only hangs at

```
SSH2_MSG_SERVICE_ACCEPT received
```

for Quite a while..

I can disable indeed since I dont use that..

I did disable all  :Smile: 

But still I get that. Ill look into that.

Thanks a lot ALREADY.

Cheers,

Robin

----------

## JeliJami

 *RobinVossen wrote:*   

> Thanks for the -v Flag I found that it only hangs at
> 
> ```
> SSH2_MSG_SERVICE_ACCEPT received
> ```
> ...

 

Do you mean it takes a long time to print that message or do you mean after that message, it takes a long time to get to the following message?

In the latter case, what is the next message in the -v output?

----------

## RobinVossen

I see that msg as the last msg.

The next msg is:

 - Authentications that can continue: publickey,password,keyboard-interactive

after that I get that he picks publickey and that he logs in fine  :Smile: 

Cheers,

Robin

----------

## think4urs11

 *RobinVossen wrote:*   

> My SSH is terible slow and I have no idea why.
> 
> Only the connecting is the problem it takes like 2~3 minutes..

 

reverse dns issue (or the box is *really* old+slow)

see e.g. https://forums.gentoo.org/viewtopic-p-3187949.html#3187949

----------

## RobinVossen

Well, I did check it out now.

First SSH just DIED when I rebooted.

Now I updated both and well the config files are still fine but he wants to have a Password that I dont know.. 

So, I HOPE that DNS thing works but I aint sure.

And the box is not really that old..

Cheers,

Robin

Edit/Add:

The servers /etc/ssh/sshd_config file has the following lines:

```
Protocol 2

PremitRootLogin no

MaxAuthTries 6

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeyFile   .ssh/authorized_keys

PasswordAuthentication no

UsePAM no

UseDNS no

Subsystem sftp /usr/lib/misc/sftp-server

X11Forwarding no
```

The Clients /etc/ssh/ssh_config file has the following lines:

```
RSAAuthentication yes

IdentityFile ~/.ssh/id_dsa
```

The clients ~/.ssh/id_dsa.pub file is like this:

```
ssh-dss AAAAB3<way more>lnCjg= _sxb@1
```

The servers ~/.ssh/authorized_keys file is like this:

```
ssh-dss AAAAB3<way more>lnCjg= _sxb@1
```

----------

## JeliJami

 *Think4UrS11 wrote:*   

> 
> 
> reverse dns issue (or the box is *really* old+slow)
> 
> see e.g. https://forums.gentoo.org/viewtopic-p-3187949.html#3187949

 

should be solved with

```
UseDNS no 
```

or am i missing something?

----------

## RobinVossen

well it might that that should solve the ReverseDNS problem.

But well I cant connect now what so ever..

The Authen Keys is ignored now for some reason.. :S

----------

## RobinVossen

Well after looking in my files. I tryed TONS of things.

They the newest versions right now. So its not a old bug or something.

everything is updated and well It still doesnt bloody work..

I think this info is the Important info for you all to be able to get it back up.. ^^

```

The servers /etc/ssh/sshd_config file has the following lines:

Protocol 2

PremitRootLogin no

MaxAuthTries 6

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeyFile   .ssh/authorized_keys

PasswordAuthentication no

UsePAM no

UseDNS no

Subsystem sftp /usr/lib/misc/sftp-server

X11Forwarding no

The Clients /etc/ssh/ssh_config file has the following lines:

RSAAuthentication yes

IdentityFile ~/.ssh/id_dsa

The clients ~/.ssh/id_dsa.pub file is like this:

ssh-dss AAAAB3<way more>lnCjg= john@localhost

The servers ~/.ssh/authorized_keys file is like this:

ssh-dss AAAAB3<way more>lnCjg= john@localhost

Those are EXACT copys.. I did copy them with cp

```

Cheers,

Robin

----------

## m.b.j.

Try to strace the client and or the server. If a system call hangs to long you will see it.

----------

## RobinVossen

I can ping and stuff.

So, they can see eachother.

But well there communication is kinda wrong...

its like one is a German guy and one a France Guy... (or Chinese and Dutch or what ever)

anyhow.

The config files:

sshd on the server:

```

# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $

# This is the sshd server system-wide configuration file. See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options change a

# default value.

#Port 22

Protocol 2

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

# obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin no

#StrictModes yes

MaxAuthTries 6

#RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication yes

# similar for protocol version 2

HostbasedAuthentication yes

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

#I chaned the above from yes to no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication. Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

UsePAM yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

UseDNS no

#PidFile /var/run/sshd.pid

#MaxStartups 10

#PermitTunnel no

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem sftp /usr/lib/misc/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding yes

# AllowTcpForwarding no

# ForceCommand cvs server

```

and well

The error when connect is:

```

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '192.168.1.1' is known and matches the RSA host key.

debug1: Found key in /home/john/.ssh/known_hosts:1

debug2: bits set: 516/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/john/.ssh/id_dsa.pub (0x809bb68)

debug1: Authentications that can continue: publickey,hostbased

debug1: Next authentication method: publickey

debug1: Offering public key: /home/john/.ssh/id_dsa.pub

debug2: we sent a publickey packet, wait for reply

debug1: Server accepts key: pkalg ssh-dss blen 434

debug2: input_userauth_pk_ok: fp 8d:7a:a8:c9:a5:25:e8:e6:0c:7b:a5:b9:43:da:23:49

debug1: PEM_read_PrivateKey failed

debug1: read PEM private key done: type <unknown>

Enter passphrase for key '/home/john/.ssh/id_dsa.pub':

```

But I pressed "Enter" at that part so I tryed that there and then I get Access Denied..!

----------

## JeliJami

 *RobinVossen wrote:*   

> ...
> 
> ```
> 
> ...
> ...

 

That should say

```

...

debug1: Offering public key: /home/john/.ssh/id_dsa

...

```

You should offer the private part of your key!

I think you have things mixed up with SSH keys. But you're not the first, and you won't be the last  :Wink: 

Put your public key part on the server in /home/john/.ssh/authorized_keys; and connect with your private key part on the client:

```
ssh -i /home/john/.ssh/id_dsa serverip
```

----------

## RobinVossen

THANKS!!

Though it didn't help me a bit.. But I think I do something wrong now  :Wink: 

I get:

```

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: found hmac-md5

debug1: kex: server->client blowfish-cbc hmac-md5 none

debug2: mac_setup: found hmac-md5

debug1: kex: client->server blowfish-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 136/256

debug2: bits set: 537/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '192.168.1.1' is known and matches the RSA host key.

debug1: Found key in /home/john/.ssh/known_hosts:1

debug2: bits set: 526/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/john/.ssh/id_dsa (0x809bb88)

debug2: key: /home/john/.ssh/id_dsa.pub (0x809bb70)

debug1: Authentications that can continue: publickey,hostbased

debug1: Next authentication method: publickey

debug1: Offering public key: /home/john/.ssh/id_dsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,hostbased

debug1: Offering public key: /home/john/.ssh/id_dsa.pub

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,hostbased

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,hostbased).

```

I connect using:

```
john@localhost / $ ssh -2 -c blowfish -X -i /home/john/.ssh/id_dsa  -vv _sxb@192.168.1.1
```

----------

## JeliJami

what are the file permissions on the server?

```
$ ls -ld /home/_sxb/.ssh/

$ ls -l /home/_sxb/.ssh/

```

----------

## RobinVossen

Well the map is the EXACT same map as on the server.. (Synced)

And the owners are right (both the real using since they have the same UID (aint that Smart  :Wink: )

```

appserv / # ls -ld /home/_sxb/.ssh && ls -l /home/_sxb/.ssh/

drwxr-xr-x 2 _sxb _sxb 4096 Dec 17 15:30 /home/_sxb/.ssh

total 16

-rw-r--r-- 1 _sxb _sxb 604 Dec 17 15:27 authorized_hosts

-rw------- 1 _sxb _sxb 668 Dec 17 15:27 id_dsa

-rw-r--r-- 1 _sxb _sxb 604 Dec 17 15:27 id_dsa.pub

-rw-r--r-- 1 _sxb _sxb 393 Dec 17 15:30 known_hosts

```

I hope this is usefull ^^

----------

## JeliJami

on the client side, you should have

```
$ ls -ld /home/_sxb/.ssh

drwx------ 3 _sxb _sxb 4096 Dec 17 15:30 /home/_sxb/.ssh

```

and on the server side, you should have

```
$ ls -ld /home/_sxb/.ssh

drwx------ 3 _sxb _sxb 4096 Dec 17 15:30 /home/_sxb/.ssh

$ ls -l /home/_sxb/.ssh

-rw-r--r-- 1 _sxb _sxb 604 Dec 17 15:27 authorized_keys

..

```

To summarize:

- make the .ssh directories user-only accessible

- change authorized_hosts to authorized_keys

----------

## RobinVossen

Dude!, THANKS! (You really take time and have patience for me.. You are really great  :Wink: )

Well I did what you said..

Now I get:

```

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/john/.ssh/id_dsa.pub (0x809bb68)

debug1: Authentications that can continue: publickey,hostbased

debug1: Next authentication method: publickey

debug1: Offering public key: /home/john/.ssh/id_dsa.pub

debug2: we sent a publickey packet, wait for reply

debug1: Server accepts key: pkalg ssh-dss blen 433

debug2: input_userauth_pk_ok: fp 6d:49:bf:26:83:34:a5:15:1d:9d:f6:02:17:c4:dd:35

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Permissions 0644 for '/home/john/.ssh/id_dsa.pub' are too open.

It is recommended that your private key files are NOT accessible by others.

This private key will be ignored.

bad permissions: ignore key: /home/john/.ssh/id_dsa.pub

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,hostbased).

```

So, I thought Id change the /home/john/.ssh/id_dsa.pub files rights to 600 and guess when I get:

```

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/john/.ssh/id_dsa.pub (0x809bb68)

debug1: Authentications that can continue: publickey,hostbased

debug1: Next authentication method: publickey

debug1: Offering public key: /home/john/.ssh/id_dsa.pub

debug2: we sent a publickey packet, wait for reply

debug1: Server accepts key: pkalg ssh-dss blen 433

debug2: input_userauth_pk_ok: fp 6d:49:bf:26:83:34:a5:15:1d:9d:f6:02:17:c4:dd:35

debug1: PEM_read_PrivateKey failed

debug1: read PEM private key done: type <unknown>

Enter passphrase for key '/home/john/.ssh/id_dsa.pub':

debug2: no passphrase given, try next key

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,hostbased).

```

I really think I do something really Stupid wrong..

I try to connect using this line:

```
[color=green]john@localhost[/color] [color=darkblue]/ $[/color] ssh -2 -c blowfish -X -vv _sxb@192.168.1.1

```

ps. I am SO happy I can copy paste now finally!  :Wink: 

----------

## JeliJami

 *RobinVossen wrote:*   

> Dude!, THANKS! (You really take time and have patience for me.. You are really great )

 

thanks  :Smile: 

 *Quote:*   

> 
> 
> Well I did what you said..
> 
> Now I get:
> ...

 

You are still using the public part of the key, instead of the private part!

 *Quote:*   

> 
> 
> I really think I do something really Stupid wrong..
> 
> I try to connect using this line:
> ...

 

try to specify the private part explicitly:

```
john@localhost/ $ ssh -2 -c blowfish -X -i /home/john/.ssh/id_dsa
```

----------

## tarpman

JeliJami, what?  Why would you send out the private part of your key?  That's the whole point of having public and private parts - the public part you give out, the private part you keep to yourself.  Offering id_dsa.pub is the correct behaviour.

----------

## RobinVossen

Eureka!

```

debug1: Server accepts key: pkalg ssh-dss blen 433

debug2: input_userauth_pk_ok: fp 45:05:f7:5f:75:d5:5f:6a:8f:4e:12:b0:33:cf:2d:58

debug1: read PEM private key done: type DSA

debug1: Authentication succeeded (publickey).

debug1: channel 0: new [client-session]

debug2: channel 0: send open

debug1: Entering interactive session.

debug2: callback start

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 0

debug2: channel 0: request shell confirm 0

debug2: fd 3 setting TCP_NODELAY

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug2: channel 0: rcvd adjust 2097152

Last login: Wed Dec 12 19:38:52 2007 from 192.168.1.11

-bash: /dev/null: Permission denied

-bash: /dev/null: Permission denied

_sxb@1 ~ $

```

I logged in Fine =D

Me is Happy ^^

Anyhow, is there a way to apply that in the sshdConfig? Since I dont really feel like changing ALL the links ^^

Cheers,

Me is Happy ^^ (Me know bad English (it is I am Happy and I know its bad English  :Wink: ))

----------

## JeliJami

 *tarpman wrote:*   

> JeliJami, what?  Why would you send out the private part of your key?  That's the whole point of having public and private parts - the public part you give out, the private part you keep to yourself.  Offering id_dsa.pub is the correct behaviour.

 

That command does not send out your private part of your key:

```
man ssh

..

     -i identity_file

             Selects a file from which the identity (private key) for RSA or

             DSA authentication is read.  The default is ~/.ssh/identity for

             protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-

             tocol version 2.  Identity files may also be specified on a per-

             host basis in the configuration file.  It is possible to have

             multiple -i options (and multiple identities specified in config-

             uration files).

```

The ssh client needs the private part (which stays on the client) to validate the passphrase, if present. Of course, the public part (same filename with .pub extension) will be used to negotiate the SSH session, and should be available on the server.

----------

## RobinVossen

JeliJami, can I repay you in ANY way? ^^

Everything works fine now  :Smile: 

(ps. If I want to add another Client that can connect to the Box. I should add the key in Authorized_keys right? (On the bottom?))

----------

## JeliJami

 *RobinVossen wrote:*   

> JeliJami, can I repay you in ANY way? ^^
> 
> Everything works fine now 
> 
> (ps. If I want to add another Client that can connect to the Box. I should add the key in Authorized_keys right? (On the bottom?))

 

Yes, append the public part to authorized_keys on the server. That way someone else with a different key can login as the same user (_sxb).

----------

