mathjax + gtag

Monday, October 24, 2016

Why is ssh slow to connect?

Introduction

There are several reasons why ssh may be getting slow to connect. I'll cover here the ones that happened to me.


On the server side

  1. Make sure you have a line "UseDNS no" uncommented.
  2. Make sure you have "good" (i.e., reachable) DNS servers in /etc/resolv.conf.
  3. Make sure you have no reverse DNS lines in /etc/hosts.deny.
The server side configuration is typically in the file /etc/ssh/sshd_config. Every time you make a change to this file, remember to restart the ssh daemon ("# systemctl restart sshd").

    Item number 3 deserves some comments, since it was the hardest to get right. Denyhosts may be adding lines like  "xxx-xxx-xxx-xxx.rev.abxtelex.eu" that will trigger reverse DNS even if you have "UseDNS no" in the configuration file. You have to remove these lines, but if you have Denyhosts installed, maybe you already know how hard it is to remove entries from this file, since they keep reappearing. If you use OpenSUSE, you have a script called "/usr/sbin/dh_reenable" that will do the trick for you. If you are not using OpenSUSE or have installed Denyhosts by hand, then you have to do it manually, take a look at the Denyhosts FAQ here.

    I still don't have a good solution to problem number 3, the best thing would be that Denyhosts did not add reverse DNS entries in /etc/resolv.conf, but I did not find a way to configure it to behave like that.


    On the client side

    The global client side configuration is typically in the file /etc/ssh/ssh_config. But you can configure things on a user level by editing the file ~/.ssh/config.

    I use the local configuration file like this:

    Host *
    Compression yes
    ForwardX11=yes
    ForwardX11Trusted=yes
    GSSAPIAuthentication=no

    Host analise
    HostName 192.168.1.1

    Host home
    Hostname xxxx.noip.me


    That way I can just type "ssh analise" or "ssh home". In the "home" case, it has the advantage of making my dynamic dns name shorter.


    1. Make sure you have the line "GSSAPIAuthentication=no".