Tuesday, May 4, 2010

Slow SSH Logins on CentOS 5

Category: SkyHi @ Tuesday, May 04, 2010

Following any of the usual how-to’s didn’t leave me with a successfully speedy login.. I eventually tracked down the problem to a particularly monumental bug in RedHat’s OpenSSH server (apparently fixed up stream.. it does us all now no good)..


The fix


  1. edit /etc/ssh/sshd_config
  2. Find and change the lines (or add if missing):
    GSSAPIAuthentication yes

    ...

    #UseDNS yes

    to


    GSSAPIAuthentication no

    ...

    UseDNS no

  3. Enjoy

Side Note


If you use CentOS you’re probably unable to reboot your SSH server and you don’t know it.


I also experienced this problem while attempting to restart the ssh server. Everything seemed to work but when checking the logs it showed serious errors. It complained about being unable to bind to port 22. To see if you have the same problem follow these steps..


/etc/init.d/sshd reload

tail /var/log/secure

If you find something like the following:


sshd[20213]: Server listening on :: port 22.

sshd[20213]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

then you’ve got problems.. It’s basically saying that the localhost IPv6 address (represented as “::”) is hogging port 22 instead of 0.0.0.0 (means ANY IPv4 address). If that’s what you want, then great! If not..


edit


/etc/ssh/sshd_config

and change it to look as follows from


#ListenAddress 0.0.0.0

#ListenAddress ::

to


ListenAddress 0.0.0.0

#ListenAddress ::

Hope this helps!



================================================

[root@home]# cat disableipv6.sh

#!/bin/sh
#http://usalug.org/phpBB2/viewtopic.php?t=13265
# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"

#------------------------------------------------------------------------------
# Completely disable IPv6.
#------------------------------------------------------------------------------

# Block all IPv6 traffic, otherwise the firewall might be circumvented by an
# attacker who simply sends IPv6 traffic instead of IPv4 traffic.
# Note: The safest way to prevent IPv6 traffic is to not enable support for
# IPv6 in the kernel in the first place (neither built-in nor as a module).

# If the ip6tables command is available, try to block all IPv6 traffic.
if test -x $IP6TABLES; then
  # Set the default policies (drop everything).
  $IP6TABLES -P INPUT DROP 2>/dev/null
  $IP6TABLES -P FORWARD DROP 2>/dev/null
  $IP6TABLES -P OUTPUT DROP 2>/dev/null

  # The mangle table can pass everything through unaltered (we don't use it).
  $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
  $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null

  # Delete all rules.
  $IP6TABLES -F 2>/dev/null
  $IP6TABLES -t mangle -F 2>/dev/null

  # Delete all (non-builtin) user-defined chains.
  $IP6TABLES -X 2>/dev/null
  $IP6TABLES -t mangle -X 2>/dev/null

  # Zero all packet and byte counters.
  $IP6TABLES -Z 2>/dev/null
  $IP6TABLES -t mangle -Z 2>/dev/null
fi

REFERENCE

http://www.dbaranski.net/2010/03/slow-ssh-logins-on-centos-5/