SSH-Login bleibt hängen.

[pazifi]

Hi ihrs!

Wenn ich mich per SSH einloggen möchte auf den Server zB. mit "ssh domain.tld" oder "ssh ip-adresse" geht das sehr langsam.

Ich habe hier die Ausgabe von "ssh -v domain.tld":

Code: Alles auswählen

OpenSSH_5.1p1 Debian-6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to domain.tld [ip-adresse] port 22.
debug1: Connection established.
debug1: identity file /home/[mein username ;) ]//.ssh/identity type -1
debug1: identity file /home/[mein username ;) ]//.ssh/id_rsa type -1
debug1: identity file /home/[mein username ;) ]//.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'domain.tld' is known and matches the RSA host key.
debug1: Found key in /home/[mein username ;) ]//.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

<<<<<<<<<<<< genau hier gehts etwa 15-20 Sekunden bis es weitergeht! Egal ob mit IP oder Domain.

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/[mein username ;) ]/.ssh/identity
debug1: Trying private key: /home/[mein username ;) ]/.ssh/id_rsa
debug1: Trying private key: /home/[mein username ;) ]//.ssh/id_dsa
debug1: Next authentication method: password

Was könnte an der Stelle betroffen sein?
Es ist ja ansich nach der Auflösung der Domain, aber vor der effektiven Authentifikation mit Plublickey oder Passwort, so wie ich das sehe.

Grüsse und eine gute Nacht!

pazifi

[nepos]

Könnte z.B. des Reverse-DNS-Lookup sein, den SSH macht.

[pazifi]

Nein am Reverse-DNS liegt es nicht. Das habe ich geprüft.

[Danielx]

Da wäre mal die sshd-Log des Servers im debug-Modus interessant.

Gruß,
Daniel

[pazifi]

Das Interessante ist, dass es die Verzögerung nur gibt, wenn ich von extern einlogge, nicht wenn ich lokal den Benutzer wechsle...

Code: Alles auswählen

# /usr/sbin/sshd -d -d -d
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 637
debug2: parse_server_config: config /etc/ssh/sshd_config len 637
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:14 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:17 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:21 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:22 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:25 setting LoginGraceTime 120
debug3: /etc/ssh/sshd_config:26 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:27 setting StrictModes yes
debug3: /etc/ssh/sshd_config:29 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:30 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:34 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:36 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:38 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:43 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:47 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:62 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:63 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:64 setting PrintMotd no
debug3: /etc/ssh/sshd_config:65 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:66 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:73 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:75 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:77 setting UsePAM yes
debug1: sshd version OpenSSH_5.1p1 Debian-5
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-d'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
socket: Address family not supported by protocol
Cannot bind any address.

[uname]

Code: Alles auswählen

# /usr/sbin/sshd -d -d -d

Code: Alles auswählen

debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
socket: Address family not supported by protocol
Cannot bind any address.

Tja, vielleicht solltest du vorher SSHD stoppen. Zwei Instanzen können auf dem selben Port nicht laufen. Somit erst:

Code: Alles auswählen

/etc/init.d/ssh stop

[pazifi]

Hmm ja sorry

Ist das nicht ein Risiko?
Hab keinen direkten (physischen) Zugriff auf den Server und mit dem Stoppen voin SSH schneide ich mir ja die Nabelschnur ab?

[uname]

Dann solltest Du SSH auf einen anderen Port starten.

Code: Alles auswählen

sshd -f config_file

/etc/ssh/sshd_config kopieren und dort (in der Kopie) den Port 22 durch was anderes ersetzen.

[pazifi]

Hier das Debug (SSH auf port 8022):

Code: Alles auswählen

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 637
debug2: parse_server_config: config /etc/ssh/sshd_config len 637
debug1: sshd version OpenSSH_5.1p1 Debian-5
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-p8022'
debug1: rexec_argv[3]='-d'
debug1: rexec_argv[4]='-d'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 8022 on 0.0.0.0.
Server listening on 0.0.0.0 port 8022.
socket: Address family not supported by protocol
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 188.60.225.196 port 54695
debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-7
debug1: match: OpenSSH_5.1p1 Debian-7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug2: fd 3 setting O_NONBLOCK
debug1: permanently_set_uid: 102/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug2: Network child is on pid 31566
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug2: monitor_read: 0 used once, disabling now
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 141/256
debug2: bits set: 540/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 476/1024
debug2: monitor_read: 5 used once, disabling now
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user pazifi service ssh-connection method none
debug1: attempt 0 failures 0

<<<Hier folge eine Pause>>>

debug2: parse_server_config: config reprocess config len 637
debug2: monitor_read: 7 used once, disabling now
debug2: input_userauth_request: setting up authctxt for pazifi
debug1: PAM: initializing for "pazifi"
debug2: input_userauth_request: try method none
debug1: PAM: setting PAM_RHOST to "196-225.60-188.cust.bluewin.ch"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 48 used once, disabling now
debug2: monitor_read: 3 used once, disabling now
Failed none for pazifi from 188.60.225.196 port 54695 ssh2
debug1: userauth-request for user pazifi service ssh-connection method password
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method password
debug1: PAM: password authentication accepted for pazifi
debug1: do_pam_account: called
Accepted password for pazifi from 188.60.225.196 port 54695 ssh2
debug1: monitor_child_preauth: pazifi has been authenticated by privileged process
debug2: mac_setup: found hmac-md5
debug2: mac_setup: found hmac-md5
debug1: PAM: establishing credentials
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1000/1000
debug2: set_newkeys: mode 0
debug2: set_newkeys: mode 1
debug1: Entering interactive session for SSH2.
debug2: fd 6 setting O_NONBLOCK
debug2: fd 7 setting O_NONBLOCK
debug1: server_init_dispatch_20
User child is on pid 31609
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug2: session_new: allocate (allocated 0 max 10)
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/7
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug2: Setting env 0: LANG=de_CH.UTF-8
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug2: fd 3 setting TCP_NODELAY
debug2: channel 0: rfd 10 isatty
debug2: fd 10 setting O_NONBLOCK

[pazifi]

Habs gelöst.

Es war zu naheliegend.

Hab in die Datei "/etc/resolv.conf" meinen Nameserver eingetragen.

Grüsse pazifi