Slow SSH connections

Recently I noticed that my ssh connections would stop for a few seconds before prompting for a password.  It turned out that the SSH command was checking the DNS servers for the Server host key. This would consume some time while the SSH daemon would try get the key from the DNS servers.

12:35PM zzz:~# ssh -v master@myswitch
OpenSSH_6.6.1p1, OpenSSL 1.0.1j-freebsd 15 Oct 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to myswitch [10.202.13.230] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: identity file /home/user/ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420
debug1: Remote protocol version 1.99, remote software version Comware-5.20
debug1: no match: Comware-5.20
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA 41:3b:42:fd:ea:38:c8:27:f2:d4:7a:17:18:16:14:13
DNS lookup error: general failure  --> SSH stall here and does DNS requests (see tcpdump below)
debug1: Host 'myswitch' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:473
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent

 

The tcpdump shows that the daemon is doing SSHFP lookups but not getting any responses.

12:38:07.892258 IP zzz.xx.com.55994 > mydns.com.domain: 3790+ [1au] SSHFP? myswitch. (41)
12:38:12.910363 IP zzz.xx.com.33318 > vmydns.com.domain: 3790+ [1au] SSHFP? myswitch. (41)
12:38:17.926115 IP zzz.xx.com.25719 > vmydns.com.domain: 3790+ [1au] SSHFP? myswitch. (41)
12:38:22.965491 IP zzz.xx.com.29942 > mydns.domain: 3790+ [1au] SSHFP? myswitch. (41)

This can be easily turned off by editing /etc/ssh/ssh_config and setting “VerifyHostKeyDNS no”.  After setting this option, SSH skips the DNS lookups and goes straight to the known_hosts file.

 

debug1: Server host key: RSA 41:3b:42:fd:ea:38:c8:27:f2:d4:7a:17:18:16:14:13
debug1: Host 'myswitch' is known and matches the RSA host key.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s