Bug 21697 - Time delay to connect increases with /etc/ssh/primes file
Time delay to connect increases with /etc/ssh/primes file
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
7.0
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-12-04 14:35 EST by Henri Schlereth
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-12-18 21:55:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Henri Schlereth 2000-12-04 14:35:54 EST
with openssh-2.3.0p1-1 rpm (from openssh.com) the internal network connect time averages out to
4-5 seconds (time trial)
with openssh-2.3.0p1-4 rpm (RH update) the time increases to 15-32 seconds(also timed). The difference is the
primes file. Originally I suspected pam but using the previous version of sshd(pam) gave no benefit,
until the primes file was removed it was still sluggish.
Most of the machines involved are 486's but two are Pentium 133's with 64/24 MB of memory. 

This is really an unacceptable time delay as the insecure telnet is faster than the secure openssh.
Comment 1 Damien Miller 2000-12-14 21:51:26 EST
There is additional computation done (negotiation of a DH group) when
/etc/ssh/primes is present. The negotiation increases security, but does take time.

To prevent such negotiation, you can just empty /etc/ssh/primes:

mv /etc/ssh/primes /etc/ssh/primes_
>/etc/ssh/primes
Comment 2 Henri Schlereth 2000-12-18 21:55:19 EST
This would fix the problem at a local level (mine) but not at a global level (other users). The primes key isnt generated by the
local system but is provided by the rpm package. Would a locally generated primes file meet security requirements (which I am all
for) without the radical expense of either a.) less security or b.) time delay?

Note You need to log in before you can comment on or make changes to this bug.