New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Help with slow SSH connection after authentication
I have a few VPSes where SSH'ing into them can take a minute or so before I get a prompt. I connected with ssh -vvv
and it hangs after authentication succeeds, so it's none of the usual stuff (UseDNS no
, disabling GSSAPI, etc).
In the logs, I see this:
debug1: Authentication succeeded (publickey).
Authenticated to xxxx.example.com ([2a01:.......]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug3: This windows OS supports conpty
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
debug3: Successfully set console output code page from:65001 to 65001
debug3: Successfully set console input code page from:437 to 65001
then it hangs for a while, then it continues like normal:
debug3: send packet: type 80
debug3: send packet: type 80
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 4
debug1: Remote: /home/daniel/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /home/daniel/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
and connects instantly after that.
The actual session is fine, but I can't figure out what's happening during the hang when initially connecting.
Any ideas?
Comments
Assuming you're using bash, have you tried to connect using a different shell (
ssh -t user@host /bin/sh
) instead?Same issue, unfortunately. Even with
/bin/false
it's slow:Have you tried to ssh into a fresh/new (test) account?
Just to rule out if it has anything to do with your current user's shell-related scripts.
It's a newly-provisioned OpenVZ VPS with no customizations made other than adding my SSH keys and disabling password authentication.
Are you running ssh.socket? Check
systemctl -a | grep ssh
. That sometimes causes headaches.Also do a
strace
on your sshd server before starting an ssh connectOn a separate console, do ssh again and check the trace
I'm using
ssh.service
notssh.socket
.I just tried strace but unfortunately SSH seems to fork to the child process before the hang, so there's nothing useful in the trace
Edit: I started an strace on the child process while it was hung, but there was no output until after the hang. I'm not sure how to attach to it with strace as soon as it's spawned to get the initial output.
Edit 2: Through strace, I noticed it writing something that looks like a log immediately after the hang:
I checked the systemd journal and this is the full message:
Now to figure out what connection is timing out...
strace -ff -p <pid>
-ff
follows forks and shows child output separatelyAlso try
ltrace -f -p <pid>
. ltrace traces library calls. Again-f
is to follow forks@rincewind Perfect, thank you!! Looks like it's hanging on a DBUS call. It opens a socket connection to
/run/dbus/system_bus_socket
and writes data to it, then seems to fail with an error:immediately before the hang. This error in the systemd journal
is immediately after the hang.
I just uninstalled DBUS (nothing else on this system depends on DBUS) and libpam-systemd which seemed to fix the hang, and logging in still works fine. ¯\_(ツ)_/¯
I guess I should figure out the actual fix in case I ever need DBUS on this server, but this will do for now. Thanks for your help!!
Unfortunately there was way too much output from
ltrace
due to all the string manipulation performed by the crypto algorithms.Cool! BTW, both strace and ltrace have options to filter on regex expressions.
ltrace
may be the way if you want to dig deeper, but its output is really hairy.Give up openvz, it ain't worth the hassles.
Firewalld would break regularly for openvz and dbus was often involved. It just exists to break shit and force shitty kludges to be implemented.
Not having full kernel module permissions is a fucking nightmare and should be taken out back and shot.
tl;dr my money is on openvz module permission shit.
@TimboJones I'd love to not use OpenVZ, but a bunch of the VPSes I use on dnstools.ws are NAT VPSes, and most of those use OpenVZ.