SSH connection to Solaris 11 is sometimes slow…

Today at work, we migrated the first box to Solaris 11 and we experienced the first bug as soon as we needed to log in onto the server.

As theses delays are quite common when the SSHd is configured by default, I quickly added theses lines to remove GSSAPI and DNS common issues:

/etc/ssh/sshd_config

Although, theses settings didn’t fixed the problem.

I added some verbosity to both ssh client and server and tracked down the delay to happen at this stage of the connection:

On the client:

And on the server:

Adding truss of the server process is helping us a lot:

The lock is happening just after the connect() syscall. We can now check the pfiles of this process together with a netstat to identify which connection is causing trouble to be established:

The port 30003 is the default port of tcsd daemon, which is managing physical cryptography (through /dev/tpm). If there is no hardware crypto devices, this daemon is disabled. It seems though that cryptoadm is linking tpm crypto mechanism by default, enabling ssh to trying to access this daemon.

Workaround found (just to confirm slowliness is caused by tcsd):

Run this command on the server:

and try to ssh the box, it should be fast.

Permanent workaround:

Simply remove the pcks11_tpm provider from the crypto framework:

Other references:

This entry was posted in Solaris. Bookmark the permalink.

One Response to SSH connection to Solaris 11 is sometimes slow…

  1. Hi,

    Thank you so much. I’ve just hit the same issue on an M3000 — 9/10 SSH logins were failing and so were outbound SSL requests (also I suspect it’s happened a few times over the last few months where it seemed tcp traffic stopped working in one of our zones, but that’s just a guess at this point)

    Really appreciate the post and the hard work

Leave a Reply

Your email address will not be published. Required fields are marked *