1

I have a remote server I need to administer over a VPN to another data centre. The server I used to conenct to it from (server A) is being decommissioned, so I'm using another on the same VLAN (sevrer B).

Server A and B run the same version of SSH (SSH-2.0-OpenSSH_4.3) and have identical /etc/ssh/ssh_config files.

Server A and B both have RSA keys, with the public part stored in .ssh/authorized_keys on the remote machine.

When I ssh to the remote machine from server A, I get in immediately.

When I ssh to the remote machine from server B, I have to wait around 20 seconds or more.

I've run ssh in verbose debug mode and the part where it's hanging on server B is here:

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '10.10.10.50' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug2: bits set: 493/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/user/.ssh/identity ((nil))
debug2: key: /home/user/.ssh/id_rsa (0x7ff214705310)
debug2: key: /home/user/.ssh/id_dsa ((nil))
...

This is the point where there's a 20 second delay. What's going on with server B that isn't affecting server A?

RCross
  • 469
  • 2
  • 6
  • 19

1 Answers1

9

Probably a reverse-dns lookup delay. Check your DNS configuration at server B.

You can verify this by setting 'UseDNS no' in sshd_config and see if it helps. (It is preferrable, however, to solve any underlying DNS problems if there are any).

Avada Kedavra
  • 1,294
  • 2
  • 13
  • 19
  • 1
    Thanks! I had checked the remote machine's sshd_config file and found nothing in there relating to DNS - didn't realise that reverse dns was the default, unless specified otherwise. It's a shame that the default option is not included in the file, commented out, as you get with many other useful settings. Also a shame that no reference to reverse DNS lookups was showing in either the ssh -vvv output, or in any of the logs on the remote machine. – RCross Sep 23 '10 at 12:41
  • I agree, it wouldn't hurt at all. You probably know this already, but you can use "man sshd_config" as a fast a easy way to see what other options are available. That said, the best way to solve this issue is to setup proper DNS settings if you have a DNS server available/visiable from server B. – Avada Kedavra Sep 23 '10 at 12:50