Slow Login to the Device Using SSH on the Client

Slow Login to the Device Using SSH on the Client

1. Symptom and Networking

Description: When a user logs in to the device through SSH on the openssh6.9 client, the user is prompted to enter the password for a long time after entering the user name.

Networking: None

2. Problem Analysis

(1) According to the analysis of the ssh debug information on the live network, it is found that the login time is long when the key is calculated. The following figure shows the waiting time in the last 14 seconds.

Apr 14 2016 20:20:06.270.3 S5720-52X-PWR-SI SSH/7/NO_INFO:Begin to compute the dh shared key.

Apr 14 2016 20:20:20.230.1 S5720-52X-PWR-SI SSH/7/RECV_PKT:Received ssh2 msg ecdh reply packet.

(2) The device provides three key exchange algorithms: dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. This sequence is also the sequence of the security levels of the key exchange algorithm. In terms of security, the dh_group_exchange_sha1 algorithm is recommended. If the dh_group_exchange_sha1 algorithm is not used, the algorithm takes a long time. The device on the live network uses this key exchange algorithm.

Apr 14 2016 20:20:06.170.9 S5720-52X-PWR-SI SSH/7/CHOOSE_KEX:Choose Kex algorithm:diffie-hellman-group-exchange-sha1.

3. Cause

The more secure the key exchange algorithm, the longer the time for calculating the key. The weaker the CPU processing capability of different device models, the longer the calculation time.

Test Example (A) Take the switch as an example. The left column shows the key exchange algorithm, and the right column shows the time required for calculating the key. B. The CPU performance of the 5720EI is better than that of the 5720SI.

S5720-36PC-EI-ACV200R008C00SPC500

Algorithm Duration

dh_group_exchange_sha1 6.6s

dh_group14_sha1 0.45s

dh_group1_sha1 0.2s

S5720-52X-PWR-SI-AC V200R008C00SPC500

Algorithm Duration

dh_group_exchange_sha1 14s

dh_group14_sha1 1.34s

dh_group1_sha1 0. 21s

4. Solution

V5r16c50 and later versions (recommended for versions earlier than v5r16c50): A command line is provided for customers to select an algorithm with a short key calculation time (the corresponding security is also reduced).

Command line:

The ssh server key-exchange command configures a key exchange algorithm list on an SSH server.

[Huawei] ssh server key-exchange?

dh_group14_sha1 Diffie-hellman-group14-sha1 key exchange algorithm

dh_group1_sha1 Diffie-hellman-group1-sha1 key exchange algorithm

dh_group_exchange_sha1 Diffie-hellman-group-exchange-sha1 key exchange

algorithm, and this algorithm is recommended

5. Location information

Collect the following debugging information:

debugging ssh server all all

t m

t d

d t 0

Log in to the system in SSH mode to reproduce the problem. After the collection is complete, disable the debug function.

u t m

u t d

undo debugging all