[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#332479: marked as done (ssh-krb5: 15-second delay connecting to non-kerberos host)

Your message dated Thu, 28 Dec 2006 12:04:24 -0800
with message-id <87wt4byegn.fsf@windlord.stanford.edu>
and subject line Delay inherent in GSSAPI credential lookup
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: ssh-krb5
Version: 3.8.1p1-8
Severity: normal

I connect to one machine using kerberos and another ('non-krb-host')
using public-key authentication.

If the kerberos tickets have been destroyed (kdestroy -45), then 'ssh
non-krb-host true' takes about 1.5 seconds.  If I get new kerberos
tickets ('kinit -45'), then 'ssh non-krb-host true' takes about 15
seconds.  Below are ssh -v logs with timing information (seconds of
wall-clock time relative to when the output started):

Here's the ~/.ssh/config:

Host krb-host
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Host *
  ForwardX11 yes
  TCPKeepAlive no


With no kerberos tickets (i.e. after kdestroy -45):

  0.00 OpenSSH_3.8.1p1  Debian-krb5 3.8.1p1-8, OpenSSL 0.9.7e 25 Oct 2004
  0.01 debug1: Reading configuration data /home/sanjoy/.ssh/config
  0.02 debug1: Applying options for *
  0.03 debug1: Reading configuration data /etc/ssh/ssh_config
  0.06 debug1: Connecting to non-krb-host port 22.
  0.15 debug1: Connection established.
  0.15 debug1: identity file /home/sanjoy/.ssh/identity type -1
  0.15 debug1: identity file /home/sanjoy/.ssh/id_rsa type 1
  0.15 debug1: identity file /home/sanjoy/.ssh/id_dsa type 2
  0.25 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.4
  0.25 debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
  0.25 debug1: Enabling compatibility mode for protocol 2.0
  0.25 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1  Debian-krb5 3.8.1p1-8
  0.27 debug1: Miscellaneous failure
  0.27 No credentials cache found
  0.27 
  0.29 debug1: Miscellaneous failure
  0.29 No credentials cache found
  0.29 
  0.29 debug1: SSH2_MSG_KEXINIT sent
  0.35 debug1: SSH2_MSG_KEXINIT received
  0.35 debug1: kex: server->client aes128-cbc hmac-md5 none
  0.35 debug1: kex: client->server aes128-cbc hmac-md5 none
  0.35 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  0.35 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  0.58 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  0.58 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  0.69 debug1: Host non-krb-host is known and matches the RSA host key.
  0.69 debug1: Found key in /home/sanjoy/.ssh/known_hosts:32
  0.69 debug1: ssh_rsa_verify: signature correct
  0.69 debug1: SSH2_MSG_NEWKEYS sent
  0.69 debug1: expecting SSH2_MSG_NEWKEYS
  0.69 debug1: SSH2_MSG_NEWKEYS received
  0.69 debug1: SSH2_MSG_SERVICE_REQUEST sent
  0.93 debug1: SSH2_MSG_SERVICE_ACCEPT received
  1.04 debug1: Authentications that can continue: publickey,password,keyboard-interactive
  1.04 debug1: Next authentication method: publickey
  1.04 debug1: Trying private key: /home/sanjoy/.ssh/identity
  1.04 debug1: Offering public key: /home/sanjoy/.ssh/id_rsa
  1.13 debug1: Authentications that can continue: publickey,password,keyboard-interactive
  1.13 debug1: Offering public key: /home/sanjoy/.ssh/id_dsa
  1.24 debug1: Server accepts key: pkalg ssh-dss blen 433
  1.24 debug1: read PEM private key done: type DSA
  1.34 debug1: Authentication succeeded (publickey).
  1.34 debug1: channel 0: new [client-session]
  1.34 debug1: Entering interactive session.
  1.47 debug1: Requesting X11 forwarding with authentication spoofing.
  1.47 debug1: Sending command: true
  1.62 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
  1.62 debug1: channel 0: free: client-session, nchannels 1
  1.62 debug1: fd 1 clearing O_NONBLOCK
  1.62 debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds
  1.62 debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
  1.62 debug1: Exit status 0

With kerberos tickets (similar delay if they are expired, although the
message changes from 'Server not found' to 'ticket expired') -- note
the delay, twice, of about 7 seconds:

   0.00 OpenSSH_3.8.1p1  Debian-krb5 3.8.1p1-8, OpenSSL 0.9.7e 25 Oct 2004
   0.01 debug1: Reading configuration data /home/sanjoy/.ssh/config
   0.02 debug1: Applying options for *
   0.04 debug1: Reading configuration data /etc/ssh/ssh_config
   0.05 debug1: Connecting to non-krb-host port 22.
   0.11 debug1: Connection established.
   0.12 debug1: identity file /home/sanjoy/.ssh/identity type -1
   0.12 debug1: identity file /home/sanjoy/.ssh/id_rsa type 1
   0.12 debug1: identity file /home/sanjoy/.ssh/id_dsa type 2
   0.20 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.4
   0.21 debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
   0.21 debug1: Enabling compatibility mode for protocol 2.0
   0.21 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1  Debian-krb5 3.8.1p1-8
   7.64 debug1: Miscellaneous failure
   7.67 Server not found in Kerberos database
   7.68 
  15.59 debug1: Miscellaneous failure
  15.60 Server not found in Kerberos database
  15.60 
  15.60 debug1: SSH2_MSG_KEXINIT sent
  15.60 debug1: SSH2_MSG_KEXINIT received
  15.60 debug1: kex: server->client aes128-cbc hmac-md5 none
  15.60 debug1: kex: client->server aes128-cbc hmac-md5 none
  15.60 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  15.60 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  15.83 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  15.83 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  15.94 debug1: Host non-krb-host is known and matches the RSA host key.
  15.94 debug1: Found key in /home/sanjoy/.ssh/known_hosts:32
  15.95 debug1: ssh_rsa_verify: signature correct
  15.95 debug1: SSH2_MSG_NEWKEYS sent
  15.95 debug1: expecting SSH2_MSG_NEWKEYS
  15.95 debug1: SSH2_MSG_NEWKEYS received
  15.95 debug1: SSH2_MSG_SERVICE_REQUEST sent
  16.17 debug1: SSH2_MSG_SERVICE_ACCEPT received
  16.28 debug1: Authentications that can continue: publickey,password,keyboard-interactive
  16.28 debug1: Next authentication method: publickey
  16.28 debug1: Trying private key: /home/sanjoy/.ssh/identity
  16.28 debug1: Offering public key: /home/sanjoy/.ssh/id_rsa
  16.38 debug1: Authentications that can continue: publickey,password,keyboard-interactive
  16.38 debug1: Offering public key: /home/sanjoy/.ssh/id_dsa
  16.47 debug1: Server accepts key: pkalg ssh-dss blen 433
  16.47 debug1: read PEM private key done: type DSA
  16.58 debug1: Authentication succeeded (publickey).
  16.58 debug1: channel 0: new [client-session]
  16.58 debug1: Entering interactive session.
  16.70 debug1: Requesting X11 forwarding with authentication spoofing.
  16.70 debug1: Sending command: true
  16.85 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
  16.85 debug1: channel 0: free: client-session, nchannels 1
  16.85 debug1: fd 1 clearing O_NONBLOCK
  16.85 debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds
  16.85 debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
  16.85 debug1: Exit status 0



-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13-local01
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages ssh-krb5 depends on:
ii  adduser                     3.66         Add and remove users and groups
ii  debconf                     1.4.52       Debian configuration management sy
ii  libc6                       2.3.5-3      GNU C Library: Shared libraries an
ii  libcomerr2                  1.37-2sarge1 common error description library
ii  libkrb53                    1.3.6-5      MIT Kerberos runtime libraries
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  libwrap0                    7.6.dbs-8    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.3-3    compression library - runtime

ssh-krb5 recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
  ssh/privsep_ask: true
* ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
* ssh/privsep_tell:
  ssh/ssh2_keys_merged:
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true

--- End Message ---
--- Begin Message --- 
As explained in the bug report, the delay that you're seeing when you have
a ticket cache is due to the Kerberos libraries attempting to acquire host
credentials for the remote system.  To avoid this delay, you can turn
GSSAPIAuthentication off or investigate what's causing Kerberos to take so
long.  Usually these sorts of delays are due to slow DNS servers, since
the Kerberos library does quite a few DNS lookups.  In particular, check
your /etc/resolv.conf.  If you have multiple servers listed and the first
one is down, you'll see a long delay for every DNS lookup as the lookup
fails over to the next server.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

--- End Message ---
Reply to: