2

We are using a Mercurial implementation and sending data to a repository server via public key authentication which takes the latest revision and pushes it to our web servers via hooks also using public key authentication (thus two connections using public key authentication). It works, but it takes 5-10 seconds for even tiny commits to go through.

I believe this is because of the public key authentication, as I know when connecting via terminal using the public key authentication it takes a second or two to login and show the banner. Is there any way to make this (the logins) go faster?

On a side note is there any way to keep the ssh banner from going to stdout, aside from turning it off? It pops up in the return status and is pretty annoying.

Joshua Enfield
  • 3,454
  • 8
  • 42
  • 59
  • 5-10 seconds seems excessive. When I run `time ssh server1 exit` I am pretty reliably getting a time of 1.1 seconds. – Zoredache Jul 19 '10 at 23:07
  • It could also be a networking issue. – sybreon Jul 20 '10 at 02:16
  • Using Pub key to do the second pub key auth. I got a time of 2.63-2.73 seconds. Both servers being authenticated with are setup similarly so the above times two for two connects is just above 5 seconds. :( I think there is a delay when it is first authenticating. The exit command itself is immediate. – Joshua Enfield Jul 21 '10 at 14:06
  • In addition to the network being slow (for example high latency) one (or both) of the machines can have a shortage of entropy, which OpenSSH needs in order to generate the session keys. – ptman Sep 11 '10 at 06:48

4 Answers4

5
echo "GSSAPIAuthentication no" > /home/`whoami`/.ssh/config

Before : 0m15.512s

After : 0m0.611s

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Str82DHeaD
  • 582
  • 4
  • 7
  • 1
    Yes, I was going to mention that you can turn off multiple auth methods, probably in command line options, to have it only try one. This does the same thing, but for everything. – lsd Jan 21 '13 at 19:07
4

Slow reverse dns can also cause this. Can you try adding UseDNS no to your Mercurial server's sshd_config file and see if it helps?

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
R. S.
  • 1,714
  • 12
  • 19
2

I figured out about Control Masters, and used that for the second connection to make the connections after the first connection nearly instant. I am going with the idea that 2 seconds is just part of the connection process when a connection is made. Selecting specific keys, and doing various command line options did not on average improve times much.

Joshua Enfield
  • 3,454
  • 8
  • 42
  • 59
1

If you have a lot of ssh keys on the client side, it tends to slow down the whole authentication process as it needs to send each public key to match one the server's authorized_keys.

Plus if your server is already a bit slow, it will easily degrade.

Weboide
  • 3,345
  • 1
  • 25
  • 33
  • 1
    That's a good thought (and verifiable by adding -v's to the commandline). It should also be addressable using command-line options to specify which key to use. – Slartibartfast Jul 20 '10 at 03:36
  • At the moment this only for one to three clients. The command-line option to specify key is a good idea. I'll look into that now. – Joshua Enfield Jul 21 '10 at 14:06
  • time ssh -T -q -i ~/.ssh/id_rsa server1 exit - Yielded some better times, but ranged from 2.27 to 3.3 seconds for each authentication. In regard to my previous comment, I realize now you are talking about each of the client keys rather than keys from multiple clients. – Joshua Enfield Jul 21 '10 at 14:19
  • Also worth noting is that pinging the two different servers yields times under 1ms. – Joshua Enfield Jul 21 '10 at 14:25
  • 1
    2 to 3 seconds isn't bad, I get 1 to 2.5 seconds. – Weboide Jul 21 '10 at 21:49