Topic: Why SSH'ing into OpenWRT takes so much time ?

The content of this topic has been archived on 31 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

pyed

26 Mar 2017, 21:30

I've set it up my public key to avoid passwords, but executing `ssh root@192.168.1.1` takes a good 5 seconds!

~ $ time ssh root@192.168.1.1 uptime
 23:20:55 up 15:16,  load average: 0.27, 0.33, 0.22

real    0m5.134s
user    0m0.018s
sys    0m0.006s

SSH into a Raspberry Pi takes less than half a second

~ $ time ssh pi@192.168.1.152 uptime
 20:22:07 up 15:17,  0 users,  load average: 0.00, 0.00, 0.00

real    0m0.410s
user    0m0.026s
sys    0m0.007s

executing `ssh -v` shows the following

~ $ ssh -v root@192.168.1.1
OpenSSH_7.3p1, LibreSSL 2.4.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /Users/user/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: Remote protocol version 2.0, remote software version dropbear_2015.67
debug1: no match: dropbear_2015.67
debug1: Authenticating to 192.168.1.1:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY  # <----- MOST OF THE TIME IS SPEND HERE !!!!!!!!
debug1: Server host key: ssh-rsa SHA256:+9rKl+TZD3HUXIFB7RsN2F8gop95u4IypiMEfiqwnoc
debug1: Host '192.168.1.1' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:12
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/user/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.1.1 ([192.168.1.1]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LC_CTYPE = UTF-8

most of the time is sent on the line that says: `debug1: expecting SSH2_MSG_KEXDH_REPLY`

I searched around and found a couple of threads talking about this, but not real solutions to be gained, I hope someone can point out a good solution for this, as speed of SSH connecting gets crucial if you have scripts that connect to your router to do something or get some information from it.

I'm running Chaos Calmer/commit 03d52cf

Post #2

hnyman

26 Mar 2017, 22:07

It shouldn't take that long (and does not take for me).

That slow ssh login behaviour was observed a few years ago, and then one major reason was MIPS16.
https://dev.openwrt.org/ticket/15209

dropbear (the default ssh server) was fixed by disabling MIPS16 code in it, but you might have something else running in your router. You might also check that openssh is not compiled with MIPS16 (if you are running that on a router).

Other solution proposal in that ticket was disabling reverse DNS lookup.

So the reason may be one of those reason, or something similarly "unrelated" to the ssh protocol itself.

Post #3

pyed

29 Mar 2017, 02:33

hnyman wrote:

It shouldn't take that long (and does not take for me).
That slow ssh login behaviour was observed a few years ago, and then one major reason was MIPS16.
https://dev.openwrt.org/ticket/15209
dropbear (the default ssh server) was fixed by disabling MIPS16 code in it, but you might have something else running in your router. You might also check that openssh is not compiled with MIPS16 (if you are running that on a router).
Other solution proposal in that ticket was disabling reverse DNS lookup.
So the reason may be one of those reason, or something similarly "unrelated" to the ssh protocol itself.

Thank you for your reply, and sorry for the late respond.

I tried the solution mentioned here and it solved nothing, so the problem is not my build of openwrt

I do build OpenWRT myself for my "Buffalo WBMR-HP-G300H" Router/xDSL Modem, I'm not sure how to disable reverse DNS or MIPS16 code in my dropbear build, or if I even should as it is a very old issue, probably it has something to do with building for lantiq/xway ?

I would appreciate if you take a look at my `.config` file, and tell me which flags should I set/unset to disable MIPS16 code.

.config: http://sprunge.us/IRVg

BusyBox v1.23.2 (2017-03-29 00:38:36 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 CHAOS CALMER (Chaos Calmer, r49389)
 -----------------------------------------------------
  * 1 1/2 oz Gin            Shake with a glassful
  * 1/4 oz Triple Sec       of broken ice and pour
  * 3/4 oz Lime Juice       unstrained into a goblet.
  * 1 1/2 oz Orange Juice
  * 1 tsp. Grenadine Syrup
 -----------------------------------------------------
root@OpenWrt:~# dropbear -V
Dropbear v2015.67

Post #4

pyed

29 Mar 2017, 03:27

I solved it by replacing dropbear with openssh: https://wiki.openwrt.org/inbox/replacin … nsshserver

~ $ time ssh root@192.168.1.1 uptime
 02:26:22 up  1:19,  load average: 0.34, 0.54, 0.35

real    0m1.021s
user    0m0.021s
sys    0m0.007s

Post #5

hnyman

29 Mar 2017, 08:44

pyed wrote:

I solved it by replacing dropbear with openssh

Ok, then the culprit really is dropbear like I guessed.

MIPS16 is disabled per package. Package Makefile can have a line "PKG_USE_MIPS16:=0" that disables MIPS16 code generation for that package. You might check that your dropbear Makefile has that line (package/network/services/dropbear/Makefile). The line should be there like this: https://github.com/openwrt/openwrt/blob … kefile#L24

Alternatively, you may set the config globally. Your .config has "CONFIG_HAS_MIPS16=y" line. That is due to the mips16 feature declaration in the target makefile. By rermoving that mips16 item from the feature list in the target Makefile, you can do a global change for all packages.

But it is not certain that mips16 is the reason for your slowness.

You might just be content with the solution of using openssh server instead.

(Last edited by hnyman on 29 Mar 2017, 08:44)

The discussion might have continued from here.

Page 1 of 1