netbsd-users: Re: SSH on NetBSD 1.5.2, authentication slow?

Subject: Re: SSH on NetBSD 1.5.2, authentication slow?
To: Gerald C. Simmons <simmons@darykon.cet.com>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 03/13/2003 13:58:27
After some testing -not in debug mode yet- I think I was able to isolate the issue.
Let me describe. I setup ssh'ing between my Apple Powerbook and my NetBSD box - 1.5.2.
Near as I can tell when you ssh from NetBSD-1.5.2, ssh uses protocol version 1 by default;
i.e. RSA1. The Powerbook, on the otherhand, uses protocol 2 by default (RSA/DSA).

There is probably a way to configure ssh's behavior with ssh.conf/ssh_conf to make it
default to either -1 or -2, but I'm not there yet.

Anyway, here's what I found:

	ssh -1 <from Powerbook to NetBSD> takes   0.02u 0.010s 0:01.08
	ssh -2 <from Powerbook to NetBSD> takes   0.14u 0.020s 0:11.77

	ssh -1 <from NetBSD to Powerbook> takes   0.2u 0.0s 0:01.08
	ssh -2 <from NetBSD to Powerbook> takes   74.2u 0.8s 1:16.64       !!!!!!!!

I'm assuming, from these numbers, that the DSA authentication takes place on the 233MHz PII
when it connects to the Powerbook - 1:16.64. Conversely, when connecting from my 800MHz
Powerbook, it's performing the DSA authentication, and takes 11 seconds (which is what
started this thread.)

Q: Does using protocol version 2 for athentication REALLY take this long?  Whew!

Q: RSA1/"ssh -1" uses key file identity.pub. "ssh -2" seems to only want id_dsa.pub. Is that
   because "ssh -2" defaults to DSA, and if id_dsa isn't around it'll try id_rsa?? 

Please try this on your systems and see if you get results that closely approximate mine.

Thanks!!

Gerry Simmons
simmons@darykon.cet.com


On Thursday, March 13th, Steven M. Bellovin wrote:
> 
> In message <200303131644.h2DGiiU15628@dakkon.darykon.cet.com>, "Gerald C. Simmo
> ns" writes:
> >Just a reality check.
> >
> >I'm using the Public/Private DSA key authentication for SSH on a 233MHz Pentiu
> >m
> >box (128MB RAM) running NetBSD 1.5.2. When I execute ssh <machine>, or slogin 
> ><machine>,
> >it takes about 10 seconds for my NetBSD box to repsond.
> >
> >I just assuming it's taking this long to process the 128-bit encryption.
> >However, I'm running Suse Linux on a 433MHz PII box, and it responds almost
> >instantly.
> >
> >Is there a problem here?
> 
> Try running the server and client in debug mode, and see if that gives 
> any clues about where they're spending their time.  But that doesn't 
> sound right.  Doing an ssh (with RSA keys, not DSA) from a 233 Mhz PII 
> to the same box -- in other words, incurring the CPU hit for both the 
> client and the server on the same relatively-slow machine -- is much 
> faster than that for me:
> 
> $ time ssh hudson date
> Thu Mar 13 12:06:09 EST 2003
>     1.52s real     0.42s user     0.05s system
> 
> 
> 		--Steve Bellovin, http://www.research.att.com/~smb (me)
> 		http://www.wilyhacker.com (2nd edition of "Firewalls" book)