SSH Login time delay is a common issue we receive in AIX NetComm Support Team. In this Technote we expose some of the common causes and make some recommendations to handle this issue.
In some scenarios, the System Administrators use "ssh" or "dsh" to run just a single command on remote hosts several times. Examples of this usage are Maintenance Scripts or System Administration Tasks. Here, we will explain some of the common issues that can cause ssh login delay and how to shorten the ssh login elapsed time.
As a general recommendation, always update OpenSSH and OpenSSL to the latest available release and apply the latest iFix, if applicable. Refer to this Technote for the detailed steps:
Here we suppose SSH is configured to log in through host keys, that is, a simple "ssh" to the remote host will log in without prompting for a password.
Among several common factors causing ssh login time delay, we can find:
1) DNS lookup may add some extra delay to ssh login time as well as other network communications. To confirm or discard, you can disable DNS lookup and test. Edit /etc/sshd_config and add:
UseDNS no
then refresh sshd service
# refresh -s sshd
2) Another common ssh login time delay is due to a large "known_hosts" file that additionally may have several host keys for the same server or old outdated host keys. To refresh this file, follow these steps:
a) remove or rename the current "known_hosts" file
b) generate a new "known_hosts" file by a procedure similar to:
# for i in list_of_hosts
do
ssh -o StrictHostKeyChecking=accept-new $i exit
done
3) Latest OpenSSH release has incorporated a new highly secure but somehow slow Key Exchange
sntrup761x25519-sha512@openssh.com Algorithm which adds roughly 2 seconds delay to the login time. While this is actually a benefit and not usually an issue, you may want to discard this Algorithm by adding this line to sshd_config or ssh_config:
4) Finally, if you use "ssh" to repeatedly and consecutively run single commands on remote hosts, you can use Control Sockets to accelerate logging in many times to the same server. Follow these steps:
a) The first time you log in to the remote host, create and keep a Control Socket
in /tmp/ContorlSocket with 5 minutes lifetime:
# ssh -M -S /tmp/ControlSocket -o ControlPersist=5m $RemoteHost exit
b) Try a second connection without using the Control Socket:
# time ssh $RemoteHost exit
real 0m0.66s
user 0m0.07s
sys 0m0.00s
c) Now try a new connection using the Control Socket you previously created to compare:
# time ssh -S /tmp/ControlSocket $RemoteHost exit
real 0m0.12s
user 0m0.01s
sys 0m0.01s
You will note, after 5 minutes, the /tmp/ControlSocket has disappeared.
SUPPORT:
If the instructions in this document do not lead to resolution of the problem, follow these instructions to open a case. The product must be under warranty or have an active and valid support contract.
a. Document or take screen captures of all symptoms, errors, or messages.
b. Capture any logs or data relevant to the issue.
c. Contact IBM® to open a case.
-For electronic support, visit the IBM Support Community:
https://www.ibm.com/mysupport
-If you require telephone support, visit this web page:
https://www.ibm.com/planetwide/
d. Provide a detailed description of the issue and reference this Technote.
e. Upload all the details and data to the case.
-You can attach files to the case in the IBM Support Community, or
-Upload data to IBM test case server analysis at:
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzvAAA","label":"AIX Open Source-\u003EOPENSSH\/OPENSSL"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]