Slow response to SSH from within network?
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Wed Jul 27 13:32:12 UTC 2005
On Tue, Jul 26, 2005 at 10:47:24PM -0400, Henry Spencer wrote:
> There are two possible reasons for this. They both fall under the same
> general heading: some network service isn't responding as expected, and
> you have to wait for a timeout.
>
> One possibility, as has already been mentioned, is that it's waiting for a
> name lookup. My experience has generally been that that causes longer
> timeouts, though.
How long does it take for you to run 'host nonexistingdomain.foo' ? As
long as you have a working dns server, it should not take that long to
timeout.
> The other is that sshd (the daemon on the receiving end) is calling back
> to the sending end, to the "ident" service, asking to be told who's
> calling it, so it can log the information... but the ident service is
> being blocked by a firewall somewhere, probably on the sending end.
> (That's common enough that the no-response-at-all timeout on ident calls
> is generally set fairly short.)
Hmm, yes an ident lookup makes sense too. I forgot about ident.
> I don't remember whether there's any way to tell sshd not to make the
> ident call. The alternatives are to run identd and let it through the
> firewall, or adjust the firewall so that it sends an ICMP rejection back
> when it drops an ident packet (so sshd knows right away that it's not
> going to get the information it's after).
There seems to be options to tell sshd just about anything. man page
seems to cover most if not all of them (man sshd_config).
Lennart Sorensen
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list