Fixing slow SSH remote terminal with your Raspberry PI

Check my RPI articles in Best Raspberry PI projects article or peppe8o.com home page. Or subscribe my newsletter (top right in this page) to be notified when new projects are available!
0
(0)

This article is more a memo for me than a real guide. But I thought that what I learned, even if in form of raw note, can be useful for a lot of people facing my same problem.

I sometimes experienced very slow remote terminal sessions to my Raspberry PI, even if HTOP command showing free resources. So i decided to focus

SSHD (the ssh daemon) has 2 main files useful for my analysis:

  • “/etc/ssh/sshd_config” – which contains ssh service configuration
  • “/var/log/auth.log” – which contains ssh service logs

Looking inside auth.log file, no main problems are visible. In this log I can see correctly starting (“sshd[502]: Server listening on 0.0.0.0 port 22.”) and correctly accepting connections from my PC (“sshd[523]: Accepted password for pi from 192.168.43.182 port 51043 ssh2”).

No visible errors are traced.

So, I decided to increase log verbosity: it may be connected to some minor errors not visible at current log verbosity level. From https://man.openbsd.org/sshd_config I get that I have to edit config file:

sudo nano /etc/ssh/sshd_config  

And set following parameter with maximum logging level (DEBUG3):

LogLevel DEBUG3

Once done, a reboot is better to be sure this change has been acquired from system:

sudo reboot now

So, I had only to wait for terminal becoming again slow.

Log Analisys

Once returned back tp check log for error or warning signals, II noted that each time I reconnect, SSH daemon is negotiating client connection with client. This is an expected behaviour for me and appears to be normal. Following lines report initialization log:

Aug 24 17:04:35 raspberrypi sshd[626]: debug3: receive packet: type 20
Aug 24 17:04:35 raspberrypi sshd[626]: debug1: SSH2_MSG_KEXINIT received
Aug 24 17:04:35 raspberrypi sshd[626]: debug3: send packet: type 20
Aug 24 17:04:35 raspberrypi sshd[626]: debug1: SSH2_MSG_KEXINIT sent
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: local server KEXINIT proposal
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nis$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,s$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-et$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-et$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: compression ctos: none,zlib@openssh.com
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: compression stoc: none,zlib@openssh.com
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: languages ctos:
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: languages stoc:
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: first_kex_follows 0
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: reserved 0
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: peer client KEXINIT proposal
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-ni$
Aug 24 17:04:35 raspberrypi sshd[626]: debug1: SSH2_MSG_KEXINIT sent
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: local server KEXINIT proposal
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nis$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,s$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-et$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-et$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: compression ctos: none,zlib@openssh.com
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: compression stoc: none,zlib@openssh.com
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: languages ctos:
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: languages stoc:
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: first_kex_follows 0
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: reserved 0
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: peer client KEXINIT proposal
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-ni$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: host key algorithms: ssh-ed25519
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: ciphers ctos: aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,a$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: ciphers stoc: aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,a$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: MACs ctos: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@o$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: MACs stoc: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@o$
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: compression ctos: none,zlib,zlib@openssh.com
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: compression stoc: none,zlib,zlib@openssh.com
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: languages ctos:
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: languages stoc:
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: first_kex_follows 0
Aug 24 17:04:35 raspberrypi sshd[626]: debug2: reserved 0
Aug 24 17:04:35 raspberrypi sshd[626]: debug1: kex: algorithm: curve25519-sha256@libssh.org
Aug 24 17:04:35 raspberrypi sshd[626]: debug1: kex: host key algorithm: ssh-ed25519
Aug 24 17:04:35 raspberrypi sshd[626]: debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
Aug 24 17:04:35 raspberrypi sshd[626]: debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
Aug 24 17:04:35 raspberrypi sshd[626]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT
......

Trying to avoid to have full log post, scrolling down I saw ssh daemon still continuing in server-client negotiation till ssh console is used. So, no strange behaviours appears to be reported.

First action: PAM

Some row caught my attention: those regarding PAM (Privileged Access Management).

I supposed that PAM times are not logged in auth.log. I also checked from some web articles that PAM debugging is not so simple. Checking PAM configuration:

sudo nano /etc/pam.d/common-session  

I discovered that this is a very skinny file. And verified that it includes by default some required (mandatory) modules, plus 2 optional modules. Term “optional” in very low hardware like my Raspberry PI Zero W can be translated in disabled…

The two optional modules are:

  • pam_systemd.so – deputed to register user sessions in the systemd login manager, so appear to be a loggin for my user session. I’m the only one SSH user for my PI, so I can comment out this line.
  • pam_chksshpwd.so – for the very few mentions from web, this appears to be a module deputed to check if your password is still the default one (really guys? a module for this stupid job?)

I decided to comment these 2 optional modules nd use my little PI Zero W for a while.

From this modification, I finally solved my slow SSH sessions problem.

Second Action: DNS

Some users also refer about delays that may be introduced by SSH reverse DNS queries.

SSH daemon controls that client it is communicating with is the same during the entire connection by checking periodically the match with IP address and related hostname. It can add some reverse DNS resolution load to your device, so resulting in slower connection in some configurations (expecially when SSH connection is made from internet. For local network connection it shouldn’t give great impacts.

Anyway, if first action didn’t solved your problem, you can try by disabling DNS check from SSH configuration file:

sudo nano /etc/ssh/ssh_config    

And uncommenting related row:

useDNS no

Honestly, I tryed this test alone, but this didn’t gave me same results as first action.

Let me know if these solution solved your slow SSH connection issues and also share your comments!

How useful was this post?

Click on a star to rate it anonymously!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?