Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-17-2011, 01:22 AM
NJ101 NJ101 is offline
Registered User
 
Join Date: Nov 2007
Posts: 4
Slow to get login prompt

Hi,

SecureCRT is slow to return a login prompt whereas putty is almost instant. I have a trace of the session setup and there's a pause of a few seconds after the line in red bold below:

[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-Cisco-1.25'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group1-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa
[LOCAL] : Selected Host Key Algo = ssh-rsa
[LOCAL] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[LOCAL] : Selected Send Cipher = 3des-cbc
[LOCAL] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[LOCAL] : Selected Recv Cipher = 3des-cbc
[LOCAL] : Available Remote Send Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-md5
[LOCAL] : Available Remote Recv Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-md5
[LOCAL] : Available Remote Compressors = none
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_INIT
[LOCAL] : RECV : KEXDH_REPLY
[LOCAL] : SEND : NEWKEYS
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_EXPECT_NEWKEYS
[LOCAL] : RECV: Remote Hostkey: e0:71:3f:de:55:6e:8f:55:86:06:31:5d:7d:26:ce:8d
.
.Pauses here for a few seconds then continues
.
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [password]
Password:

I'm using version Version 6.7.2 (build 229) but I had the same behavior on previous versions too. Any ideas why this is?

Thanks
Nigel
Reply With Quote
  #2  
Old 11-17-2011, 07:57 AM
gregg gregg is offline
Registered User
 
Join Date: Oct 2010
Posts: 75
I've seen slow login prompts as well, but thought it was just me. Doesn't matter if the server is on the local network or on the internet.

scrt 6.7.1
win xp 32bit
authentication has Password at the top
mostly connecting to debian type servers.

hm, after running raw log with trace, my pause is during Kerberos:

Code:
SecureCRT - Version 6.7.1 (build 188)
[LOCAL] : SSH2Core version 6.7.0.188
[LOCAL] : Connecting to rooster:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_5.1p1 Debian-5'
[LOCAL] : CAP  : Remote can re-key
[LOCAL] : CAP  : Remote sends language in password change requests
[LOCAL] : CAP  : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP  : Remote sends algorithm name in public key packets
[LOCAL] : CAP  : Remote sends algorithm name in signatures
[LOCAL] : CAP  : Remote sends error text in open failure packets
[LOCAL] : CAP  : Remote sends name in service accept packets
[LOCAL] : CAP  : Remote includes port number in x11 open packets
[LOCAL] : CAP  : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP  : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP  : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP  : Remote correctly encodes OID for gssapi
[LOCAL] : CAP  : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP  : Remote can do SFTP version 4
[LOCAL] : CAP  : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos] SPN : host@rooster

--- pause here ---

[LOCAL] : SSPI : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos] No authority could be contacted for authentication.
[LOCAL] : SSPI : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS  : Requesting full delegation
[LOCAL] : GSS  : [Kerberos] SPN : host@rooster
[LOCAL] : GSS  : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : GSS  : [Kerberos] Could not load library 'gssapi32.dll': The specified module could not be found.
[LOCAL] : GSS  : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS  : [Kerberos] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host@rooster
[LOCAL] : SSPI : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos (Group Exchange)] No authority could be contacted for authentication.
[LOCAL] : SSPI : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS  : Requesting full delegation
[LOCAL] : GSS  : [Kerberos (Group Exchange)] SPN : host@rooster
[LOCAL] : GSS  : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : GSS  : [Kerberos (Group Exchange)] Could not load library 'gssapi32.dll': The specified module could not be found.
[LOCAL] : GSS  : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS  : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
[LOCAL] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha1
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha1
[LOCAL] : Available Remote Compressors = none,zlib@openssh.com
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib@openssh.com
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_GEX_REQUEST
[LOCAL] : RECV : KEXDH_GEX_GROUP
[LOCAL] : SEND : KEXDH_INIT
[LOCAL] : RECV : KEXDH_REPLY
[LOCAL] : SEND : NEWKEYS
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_EXPECT_NEWKEYS
[LOCAL] : RECV: Remote Hostkey: 25:f4:00:63:1c:14:f2:de:0b:8e:da:d0:8b:7c:c5:0a
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,password]

--- prompt for password here ---
pusing Kerberos and Kerberos (Group Exchange) to the bottom of the SSH2/Key Exchange config window makes the login snappy.

is there a global way to disable Kerberos since it's not something I'll ever use?

Thanks!

Last edited by gregg; 11-17-2011 at 08:00 AM.
Reply With Quote
  #3  
Old 11-17-2011, 09:33 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hello Nigel,

The entry you point to in the Trace Options output where the delay occurs is typically where you would be presented with the dialog regarding the host key the first time you connected.

In SecureCRT, what did you choose from the available options: Accept Once or Accept & Save?

If you did choose to save the host key, what is the Host key database location in the SSH Host Keys category of Global Options (ie: is it stored locally or on a network share)?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #4  
Old 11-17-2011, 09:58 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hi gregg,

Yes, the GSSAPI Authentication method and the Kerberos Key Exchange methods can be disabled completely via the checkboxes (Connection / SSH2 category of Session Options) if you have no need for these authentication or key exchange methods. Having them enabled can cause slowdowns during connection while the client tries to determine if a valid GSSAPI/Kerberos implementation exists.

The link on our website here explains how you can use the Default Session (Global Options / General / Default Session) to edit all your sessions and/or the default session (the basis for new sessions).

This tip describes how to make a change to a subset of sessions.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 11-18-2011, 03:13 AM
NJ101 NJ101 is offline
Registered User
 
Join Date: Nov 2007
Posts: 4
Hi Brenda,

You've solved it! SSH keys were stored on a network drive, I've moved them to my local drive and updated the global options setting and connections are now as good as instant.

Many thanks
Nigel
Reply With Quote
  #6  
Old 11-18-2011, 08:32 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hi Nigel,

Great, I am glad to hear the issue is resolved. Thanks for posting the update.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 10:12 PM.