Package: openssh-server Version: 1:6.0p1-4+deb7u2 Severity: normal Dear Maintainer,
Here is timing (in seconds per line of debug output) log for login to my SSHD server at host which I denote XXX.org. Keys are replaced with YYY. It is way too slow. $ ssh -v r...@xxx.org 'echo -n' 2>&1| perl -MTime::HiRes=time -p -e '$oldtime//=time; print time-$oldtime, " "' 4.05311584472656e-06 OpenSSH_6.9p1 Debian-2, OpenSSL 1.0.2d 9 Jul 2015 3.31401824951172e-05 debug1: Reading configuration data /etc/ssh/ssh_config 4.1961669921875e-05 debug1: /etc/ssh/ssh_config line 19: Applying options for * 0.0155961513519287 debug1: Connecting to XXX.org [104.236.49.103] port 22. 0.17785906791687 debug1: Connection established. 0.178133964538574 debug1: identity file /home/porton/.ssh/id_rsa type 1 0.178153991699219 debug1: key_load_public: No such file or directory 0.178158044815063 debug1: identity file /home/porton/.ssh/id_rsa-cert type -1 0.17829704284668 debug1: identity file /home/porton/.ssh/id_dsa type 2 0.178317070007324 debug1: key_load_public: No such file or directory 0.178322076797485 debug1: identity file /home/porton/.ssh/id_dsa-cert type -1 0.178330183029175 debug1: key_load_public: No such file or directory 0.178335189819336 debug1: identity file /home/porton/.ssh/id_ecdsa type -1 0.178340196609497 debug1: key_load_public: No such file or directory 0.178344011306763 debug1: identity file /home/porton/.ssh/id_ecdsa-cert type -1 0.178415060043335 debug1: key_load_public: No such file or directory 0.178436040878296 debug1: identity file /home/porton/.ssh/id_ed25519 type -1 0.178440093994141 debug1: key_load_public: No such file or directory 0.178444147109985 debug1: identity file /home/porton/.ssh/id_ed25519-cert type -1 0.178505182266235 debug1: Enabling compatibility mode for protocol 2.0 0.178516149520874 debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Debian-2 0.346481084823608 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5 0.34649395942688 debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH* compat 0x04000000 0.346500158309937 debug1: Authenticating to XXX.org:22 as 'root' 0.348556041717529 debug1: SSH2_MSG_KEXINIT sent 0.507776021957397 debug1: SSH2_MSG_KEXINIT received 0.507788181304932 debug1: kex: server->client chacha20-poly1...@openssh.com <implicit> none 0.507797002792358 debug1: kex: client->server chacha20-poly1...@openssh.com <implicit> none 0.51166296005249 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY 0.695590019226074 debug1: Server host key: YYY 0.699064970016479 debug1: Host 'XXX.org' is known and matches the ECDSA host key. 0.69907808303833 debug1: Found key in /home/porton/.ssh/known_hosts:30 0.705465078353882 debug1: SSH2_MSG_NEWKEYS sent 0.705478191375732 debug1: expecting SSH2_MSG_NEWKEYS 0.705487966537476 debug1: SSH2_MSG_NEWKEYS received 0.705492973327637 debug1: Roaming not allowed by server 0.705497026443481 debug1: SSH2_MSG_SERVICE_REQUEST sent 1.06489396095276 debug1: SSH2_MSG_SERVICE_ACCEPT received 1.23194813728333 debug1: Authentications that can continue: publickey,password 1.23197102546692 debug1: Next authentication method: publickey 1.23197507858276 debug1: Offering RSA public key: /home/porton/.ssh/id_rsa 1.39787101745605 debug1: Server accepts key: pkalg ssh-rsa blen 279 1.58550310134888 debug1: Authentication succeeded (publickey). 1.58552598953247 Authenticated to XXX.org ([104.236.49.103]:22). 1.58553504943848 debug1: channel 0: new [client-session] 1.58554410934448 debug1: Requesting no-more-sessi...@openssh.com 1.58556413650513 debug1: Entering interactive session. 1.74791097640991 debug1: Sending environment. 1.74793004989624 debug1: Sending env LC_PAPER = en_US.UTF-8 1.74793696403503 debug1: Sending env LC_MONETARY = en_US.UTF-8 1.74794602394104 debug1: Sending env LC_NUMERIC = en_US.UTF-8 1.74797606468201 debug1: Sending env LANG = en_US.utf8 1.74798607826233 debug1: Sending env LC_MEASUREMENT = en_US.UTF-8 1.74801111221313 debug1: Sending env LC_TIME = en_US.UTF-8 1.74802112579346 debug1: Sending command: echo -n 1.9185950756073 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 1.91861510276794 debug1: client_input_channel_req: channel 0 rtype e...@openssh.com reply 0 1.91863608360291 debug1: channel 0: free: client-session, nchannels 1 1.91869902610779 debug1: fd 1 clearing O_NONBLOCK 1.91870999336243 Transferred: sent 3564, received 1788 bytes, in 0.3 seconds 1.91871905326843 Bytes per second: sent 10698.4, received 5367.2 1.91872715950012 debug1: Exit status 0 Note that this seems NOT to be a DNS issue as I have "UseDNS no" in /etc/ssh/sshd_config /etc/ssh/sshd_config follows: # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes UseDNS no