0

I'm having an a slow connection establishement issue with PuTTY :

> time.exe plink.exe -no-antispoof root@X.Y.Z.T exit                                                                                                                           root@X.Y.Z.T's password:
real    0m 10.80s
user    0m 0.01s
sys     0m 0.06s

But not with OpenSSH :

> time.exe ssh.exe root@X.Y.Z.T exit                                                                                                                                           root@X.Y.Z.T's password:
real    0m 0.94s
user    0m 0.03s
sys     0m 0.06s

And here is the UseDNS value :

> ssh root@X.Y.Z.T grep UseDNS /etc/ssh/sshd_config
root@X.Y.Z.T's password:
#UseDNS yes
UseDNS no

Now with plink -v :

> time.exe plink.exe -no-antispoof -v root@X.Y.Z.T exit                                                                                                                        Looking up host "X.Y.Z.T" for SSH connection
Connecting to X.Y.Z.T port 22
We claim version: SSH-2.0-PuTTY_Release_0.77
Connected to X.Y.Z.T
Remote version: SSH-2.0-OpenSSH_7.4
Using SSH protocol version 2
No GSSAPI security context available
Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Server also has ecdsa-sha2-nistp256/rsa-sha2-512/rsa-sha2-256/ssh-rsa host keys, but we don't know any of them
Host key fingerprint is:
ssh-ed25519 255 SHA256:xKqcsd8PIA6nRNj4D2Be5yBILwobLz3VXJMswZ+L5D4
Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm
Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm
Pageant is running. Requesting keys.
Pageant has 0 SSH-2 keys
Using username "root".
Using SSPI from SECUR32.DLL
Trying gssapi-with-mic...
Attempting GSSAPI authentication

GSSAPI authentication request refused
root@X.Y.Z.T's password:
Sent password
Access granted
Opening main session channel
Opened main channel
Remote debug message: No xauth program; cannot forward with spoofing.
X11 forwarding refused
Agent forwarding enabled
Started a shell/command
Session sent command exit status 0
real    0m 11.97s
user    0m 0.01s
sys     0m 0.06s

EDIT0 : Fixing the nameserver(s) in /etc/resolv.conf on the sshd server side fixed the 10 seconds SSH connection establishment delay.

SebMa
  • 275
  • 1
  • 9
  • can you point in the log (plink -v) at which line it seems to hang a few seconds, if any ? – Saïmonn Jul 27 '22 at 16:18
  • @Saïmonn At line `Attempting GSSAPI authentication` but fixing the `nameserver` in `/etc/resolv.conf` on the server side fixed the 10 seconds SSH connection establishment delay. What I don't understand is : why ? – SebMa Jul 28 '22 at 15:05

1 Answers1

2

It's likely DNS host resolving timeout after trying GSSAPI authentication.

Plink use GSSAPI by default.

In OpenSSH, both client and server, GSSAPIAuthentication disabled by default.

Most likely on server GSSAPIAuthentication is enabled in sshd_config.

https://stackoverflow.com/questions/62509282/how-to-disable-gssapi-authentication-using-putty-plink

https://access.redhat.com/discussions/1173853

SSH - slow authentication

gapsf
  • 641
  • 1
  • 5
  • 12
  • By `DNS host resolving`, do you mean that SSHD tries to resolve the IP of the SSH client trying to connect ? – SebMa Jul 28 '22 at 18:52
  • It's hardly to say exectly without knowing state of UseDNS option on server. Client hangs after Connected to X.Y.Z.T on Attempting GSSAPI authentication so i guess client try to resolve GSSAPI mechanisms, maybe Kerberos server. Could you add ssh_config and sshd_config, plink.exe -vvv root@server And where you change resolv.conf - on server or on client? – gapsf Jul 28 '22 at 19:53