Bug 21697 - Time delay to connect increases with /etc/ssh/primes file
Summary: Time delay to connect increases with /etc/ssh/primes file
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
(Show other bugs)
Version: 7.0
Hardware: i386 Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2000-12-04 19:35 UTC by Henri Schlereth
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-12-19 02:55:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Henri Schlereth 2000-12-04 19:35:54 UTC
with openssh-2.3.0p1-1 rpm (from openssh.com) the internal network connect time averages out to
4-5 seconds (time trial)
with openssh-2.3.0p1-4 rpm (RH update) the time increases to 15-32 seconds(also timed). The difference is the
primes file. Originally I suspected pam but using the previous version of sshd(pam) gave no benefit,
until the primes file was removed it was still sluggish.
Most of the machines involved are 486's but two are Pentium 133's with 64/24 MB of memory. 

This is really an unacceptable time delay as the insecure telnet is faster than the secure openssh.

Comment 1 Damien Miller 2000-12-15 02:51:26 UTC
There is additional computation done (negotiation of a DH group) when
/etc/ssh/primes is present. The negotiation increases security, but does take time.

To prevent such negotiation, you can just empty /etc/ssh/primes:

mv /etc/ssh/primes /etc/ssh/primes_

Comment 2 Henri Schlereth 2000-12-19 02:55:19 UTC
This would fix the problem at a local level (mine) but not at a global level (other users). The primes key isnt generated by the
local system but is provided by the rpm package. Would a locally generated primes file meet security requirements (which I am all
for) without the radical expense of either a.) less security or b.) time delay?

Note You need to log in before you can comment on or make changes to this bug.