Networking – long delay during ssh login

ipv4ipv6networkingssh

When I connect to my Debian server via ssh, the ssh client tries to establish a IPv6 connection. This fails after a long timeout (~30sec), then falls back to IPv4, which then succeeds, and I'm prompted for a password.

This is quite annoying, because I often miss the time I can enter the password (password timeout feels really short in comparison), and I have to sit through this again.

This happens both on Windows via putty and on my Debian machine using the standard ssh client.

I like to fix this either by making the IPv6 connection working or by directly connecting via IPv4.

How can I find out why I'm unable to connect via IPv6?
How can I configure my ssh client to connect via IPv4?

Here is what my output of ssh is like (changed personal data)

> ssh -v someuser@somedomain.com
OpenSSH_6.9p1 Debian-2, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /home/someuser/.ssh/config
debug1: /home/someuser/.ssh/config line 12: Applying options for somedomain.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to somedomain.com [1234:1234:1234:1234::1] port 12345.

after this ssh waits for ~30sec (as mentioned above), and then falls back to IPv4 and I can login as usual.

update

I did some testing, and I think the server is not setup correctly for IPv6
(although ping6 ::1 and ssh -6 ::1 worked). For now I will configure my ssh clients to use IPv4 until I figured out how to fix IPv6 on my server.

Best Answer

The best approach, in my opinion, is to get things working (rather than working around what isn't working). So, fix IPv6.

Does ping6/ping for IPv6 work? Can you ssh to "::1"? Does firewall rules permit the incoming traffic to the IPv6 address?

Is Reverse DNS set up? If not, OpenBSD FAQ about Reverse DNS specifically describes this behavior in OpenSSH, and adjusting that by getting Reverse DNS working or by adding entries to a /etc/hosts file.

Or, if you'd like to not follow my earlier advice of getting things to work instead of performing a workaround, you could disable the lookups (rather than make the lookups succeed).

This guide says to add UseDNS=no to the sshd_config file (and then don't forget to have sshd reload the config), and also have sshd be started with the "-u0" option.

Related Solutions

SSH over IPv6 got “Permission denied” error

Possible causes could be:

Local firewall (ip6tables)
External firewall on your network (according to some sources, ICMPv6 "Administratively prohibited" error message is interpreted by Linux as EACCESS)
AppArmor, SELinux, Smack (although neither of them is on by default on Arch)

Things you could try:

reset ip6tables rules
connect to the server using other programs (socat stdio tcp:[2604:....]:311) and see if they return the same message; test with both same and different ports
ping6, traceroute6, and see if any hop returns "Administratively prohibited" or any other error

Linux – SSH error ssh_exchange_identification: read: Connection reset by peer

"Connection reset by peer" means the TCP stream was abnormally closed from the other end. I think the most likely explanations are that the remote server process handling the connection has crashed, or else some network device (like a stateful firewall or load balancer) has decided to interfere with the connection.

You need to debug this on the remote server if you can. sshd logs through syslog, and on a typical Unix system the log entries will be in one of the files in the /var/log directory. If you're lucky, sshd will be logging something every time it drops your session.

If you have root access on the server, you can run a debugging instance of sshd. Become root and then run:

/path/to/sshd -ddd -p 1022

This will run an instance of the SSH server which will listen on port 1022, accept one connection, and print debugging information to your terminal. Run your client as usual, except specify port 1022 as the port:

ssh -p 1022 user@host

The debugging information printed by the server will hopefully make it clear what is happening.

Edit: The server output indicates that the server isn't crashing or deliberately closing the TCP connection. Something else is causing it to close. I would take a look at any security software installed on the server which might monitor TCP sessions, as well as any firewalls, load balancers, or similar network hardware which might be part of the local network.

Best Answer

Related Solutions

SSH over IPv6 got “Permission denied” error

Linux – SSH error ssh_exchange_identification: read: Connection reset by peer

Related Question