Red Hat Bugzilla – Bug 21697
Time delay to connect increases with /etc/ssh/primes file
Last modified: 2008-05-01 11:37:59 EDT
with openssh-2.3.0p1-1 rpm (from openssh.com) the internal network connect time averages out to
4-5 seconds (time trial)
with openssh-2.3.0p1-4 rpm (RH update) the time increases to 15-32 seconds(also timed). The difference is the
primes file. Originally I suspected pam but using the previous version of sshd(pam) gave no benefit,
until the primes file was removed it was still sluggish.
Most of the machines involved are 486's but two are Pentium 133's with 64/24 MB of memory.
This is really an unacceptable time delay as the insecure telnet is faster than the secure openssh.
There is additional computation done (negotiation of a DH group) when
/etc/ssh/primes is present. The negotiation increases security, but does take time.
To prevent such negotiation, you can just empty /etc/ssh/primes:
mv /etc/ssh/primes /etc/ssh/primes_
This would fix the problem at a local level (mine) but not at a global level (other users). The primes key isnt generated by the
local system but is provided by the rpm package. Would a locally generated primes file meet security requirements (which I am all
for) without the radical expense of either a.) less security or b.) time delay?