User profile for user: Joost Lek
Joost Lek Author
User level: Level 1
5 points

Slow SSH connection buildup

Hello, i have a problem while connecting to (openssh) hosts from the commandline of my Mac OS X 10.4.3 machine.
The connection takes very long to complete, i have this to nearly all hosts on my network, and on the internet.
There is a 'pause' of about 20 seconds between these two lines:

debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: An invalid name was supplied

After some research i think the kerberos authentication is to blame for the delay, but setting GSSAPIAuthentication and GSSAPIDelegateCredentials to no, or starting ssh with -k doesn't solve the problem.
I have been searching for a solution for this problem for quite some time now, has anyone seen this problem?

Debug output of a session:

joost-leks-powerbook-g4-15:~/Documents/idisk joost$ ssh -v 10.0.0.123
OpenSSH_3.8.1p1, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /Users/joost/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to 10.0.0.123 [10.0.0.123] port 22.
debug1: Connection established.
debug1: identity file /Users/joost/.ssh/identity type -1
debug1: identity file /Users/joost/.ssh/id_rsa type 1
debug1: identity file /Users/joost/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.4
debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: SSH2 MSGKEXINIT sent
debug1: SSH2 MSGKEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2 MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2 MSG_KEX_DH_GEXGROUP
debug1: SSH2 MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2 MSG_KEX_DH_GEXREPLY
The authenticity of host '10.0.0.123 (10.0.0.123)' can't be established.

(after this, the connection is started fine)

PowerBook G4, Mac OS X (10.4.3), ssh kerberos problems

Posted on Nov 23, 2005 1:03 AM

Reply
4 replies
User profile for user: Jun T.
Jun T.
User level: Level 4
2,191 points

Nov 23, 2005 4:49 AM in response to Joost Lek

Hi Joost,

If you try 'ssh -vvv 10.0.0.123', then you will see that the delay is due to

debug3: Trying to reverse map address 10.0.0.123.

This indicates that the ssh client is doing a reverse DNS lookup. As far as I know there is no way to stop this look up.

If a DNS server is running in your local network, then tell the admin of the DNS server that the reverse lookup is not correctly configured so please fix it.

If no DNS server is running for the local network, then you just accept the delay, or you can add the following line to /etc/hosts of the client Mac:

10.0.0.123 servername

where servername is the hostname of the host whose IP is 10.0.0.123.

PowerMac G4 Mac OS X (10.4.3)
Reply
User profile for user: Joost Lek
Joost Lek Author
User level: Level 1
5 points

Nov 23, 2005 7:19 AM in response to Gary Kerbaugh

Thank you both for your quick replies. I happened to try these suggestions both allready and they do not sufficiently solve my problem.

This is the debug3 output:

joost-leks-powerbook-g4-15:~ joost$ host 10.0.0.123
123.0.0.10.in-addr.arpa domain name pointer tech.
joost-leks-powerbook-g4-15:~ joost$ ssh -v -v -v 10.0.0.123
OpenSSH_3.8.1p1, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /Users/joost/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.0.123 [10.0.0.123] port 22.
debug1: Connection established.
debug1: identity file /Users/joost/.ssh/identity type -1
debug3: Not a RSA1 key file /Users/joost/.ssh/id_rsa.
debug2: key type_fromname: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key type_fromname: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/joost/.ssh/id_rsa type 1
debug3: Not a RSA1 key file /Users/joost/.ssh/id_dsa.
debug2: key type_fromname: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key type_fromname: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/joost/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.4
debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug3: Trying to reverse map address 10.0.0.123.
reverse mapping checking getaddrinfo for tech failed - POSSIBLE BREAKIN ATTEMPT!
debug1: An invalid name was supplied
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: An invalid name was supplied
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: SSH2 MSGKEXINIT sent
debug1: SSH2 MSGKEXINIT received
debug2: kex parsekexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex parsekexinit: ssh-rsa,ssh-dss
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijn dael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijn dael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac- md5-96
debug2: kex parsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac- md5-96
debug2: kex parsekexinit: none,zlib
debug2: kex parsekexinit: none,zlib
debug2: kex parsekexinit:
debug2: kex parsekexinit:
debug2: kex parsekexinit: first kexfollows 0
debug2: kex parsekexinit: reserved 0
debug2: kex parsekexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex parsekexinit: ssh-rsa,ssh-dss
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijn dael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijn dael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac- md5-96
debug2: kex parsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac- md5-96
debug2: kex parsekexinit: none,zlib
debug2: kex parsekexinit: none,zlib
debug2: kex parsekexinit:
debug2: kex parsekexinit:
debug2: kex parsekexinit: first kexfollows 0
debug2: kex parsekexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2 MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2 MSG_KEX_DH_GEXGROUP
debug2: dh genkey: priv key bits set: 122/256
debug2: bits set: 526/1024
debug1: SSH2 MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2 MSG_KEX_DH_GEXREPLY
debug3: check host_inhostfile: filename /Users/joost/.ssh/known_hosts
debug3: check host_inhostfile: match line 76
debug1: Host '10.0.0.123' is known and matches the RSA host key.
debug1: Found key in /Users/joost/.ssh/known_hosts:76
debug2: bits set: 505/1024
debug1: ssh rsaverify: signature correct
debug2: kex derivekeys
debug2: set_newkeys: mode 1
debug1: SSH2 MSGNEWKEYS sent
debug1: expecting SSH2 MSGNEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2 MSGNEWKEYS received
debug1: SSH2 MSG_SERVICEREQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2 MSG_SERVICEACCEPT received
debug2: key: /Users/joost/.ssh/identity (0x0)
debug2: key: /Users/joost/.ssh/id_rsa (0x307490)
debug2: key: /Users/joost/.ssh/id_dsa (0x300ce0)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod isenabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/joost/.ssh/identity
debug3: no such identity: /Users/joost/.ssh/identity
debug1: Offering public key: /Users/joost/.ssh/id_rsa
debug3: send pubkeytest
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: /Users/joost/.ssh/id_dsa
debug3: send pubkeytest
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod isenabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input userauth_inforeq
debug2: input userauth_inforeq: num_prompts 1
Password:

the last line of my /etc/ssh_config:
CheckHostIP no

But the delay is still there.
Reply
User profile for user: Jun T.
Jun T.
User level: Level 4
2,191 points

Nov 23, 2005 8:00 AM in response to Joost Lek

At which point of the debug output did you experience the delay?

Are you on an office network where IP address/hostnames are managed by administrator(s), or on a home network where no DNS server is running?

debug3: Trying to reverse map address 10.0.0.123.
reverse mapping checking getaddrinfo for tech failed - POSSIBLE BREAKIN ATTEMPT!


Did you add the line to /etc/hosts?


PowerMac G4 Mac OS X (10.4.3)
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Slow SSH connection buildup

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up