Home / server / Questions / 100887
Accepted
Kevin M
Asked: 2010-01-09 08:25:29 +0800 CST

ssh works fine when using public interface, but slow when using private interface

  • 772

My Linux(UbuntuEEE) to Linux(CentOS) ssh takes a long time to log in(~15 seconds) when using the private interface, but not when using the public one.

I have a Linux box acting as my router. As such, it has multiple interfaces(75.xxx.xxx.xxx, 192.168.1.1). I can ssh in from the internal interface(192.168.1.65 to .1), but it will take a while. I can ssh into the public address, and it goes quickly(~1 second).

I have another box that I can ssh into the inside interface from and it goes quickly.

iptables is set to accept packets coming into the interface immediately. sshd's UseDNS is normally on; I get the same problem if I turn it off and restart sshd. I normally use public-key authentication; I have done a mv ~/.ssh/ ~/ssh/ and it will ask me for a password after going slowly.

After logging in(using either interface), speed is quick.

ssh client version(via ssh -v):OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
ssh server version(via rpm -qv openssh_server):openssh-server-4.3p2-29.el5

linux ssh

6 Answers

  1. UseDNS no

    Set that in your /etc/ssh/sshd_config and restart the daemon, that should do the trick.

    • 4

  2. This kind of problem is always caused by DNS. When you log into the 192.168.1.1 interface, sshd attempts to do a lookup of whatever IP address you're coming from and it can't.

    1. Verify my claim by starting a ssh session to your router.
    2. Start tcpdump on your external interface, filtering so you see all packets to/from port 53.
    3. Ssh into your router on the internal interface. tcpdump will show DNS queries leaving your router, asking for the hostname of whatever 192.168.1/24 source address.

    Run this experiment again when you think UseDNS has been set to 'no'.

    My guess is you sent SIGHUP to the wrong sshd after you changed UseDNS to no.

    • 4

  3. In /etc/ssh/sshd_config turn of reverse mapping, its trying to do an rDNS lookup on your internal ip address.

    "VerifyReverseMapping no"

    • 1

  4. Use strace -p on the client and server to determine what the ssh/sshd process is waiting on.

    Not sure what it could be - delays are usually caused by the DNS reverse lookup but you said you already turned that off.

    • 0

  5. strace is an option as Dave mentioned, but I would try enabling verbosity on the client when logging in. You can do this by providing the -v switch (up to 3 times for maximum verbosity), for example:

    ssh -vv [email protected]
    • 0
  6. Best Answer

    On Alex's recommendation, I ran a packet sniffer and found that the client was doing DNS lookups. As a short-term solution to test, I added 192.168.1.1 servername to the client's /etc/hosts file and things went quickly.

    • 0