Net::SSH::Perl login authentication is taking too long
I'm developing a cgi script that uses Net::SSH::Perl, but the login authentication is taking 1 minute 40 seconds. As you can imagine, 1:40 too long especially since I will be connecting to 4 servers.
Is this a known issue and is there a workaround?
Here's my test script and the output.
#!/usr/bin/perl
use strict;
use warnings;
use CGI qw/:standard/;
use CGI::Carp qw(fatalsToBrowser warningsToBrowser);
use Net::SSH::Perl;
use Data::Dumper;
$|++;
my $imap1 = 'imap1';
my %params = (debug => 1, protocol => 2);
print header(),
start_html(),
"creating ssh object: ", scalar localtime, br;
warningsToBrowser(1);
my $ssh_imap1 = Net::SSH::Perl->new($imap1
print "ssh object created: ", scalar localtime, "<br>$/";
print "logging in: ", scalar localtime, br;
$ssh_imap1->login('me');
print "logged in: ", scalar localtime, br;
my ($stdout, $stderr, $exit) = $ssh_imap1->cmd('pwd');
$stdout =~ s/\n/<br>/g;
print "<br>$stdout",
end_html();
--------------------------
creating ssh object: Sat Dec 16 21:44:04 2006
ssh object created: Sat Dec 16 21:44:04 2006
logging in: Sat Dec 16 21:44:04 2006
logged in: Sat Dec 16 21:45:44 2006
/home/me
Is this a known issue and is there a workaround?
Here's my test script and the output.
#!/usr/bin/perl
use strict;
use warnings;
use CGI qw/:standard/;
use CGI::Carp qw(fatalsToBrowser warningsToBrowser);
use Net::SSH::Perl;
use Data::Dumper;
$|++;
my $imap1 = 'imap1';
my %params = (debug => 1, protocol => 2);
print header(),
start_html(),
"creating ssh object: ", scalar localtime, br;
warningsToBrowser(1);
my $ssh_imap1 = Net::SSH::Perl->new($imap1
print "ssh object created: ", scalar localtime, "<br>$/";
print "logging in: ", scalar localtime, br;
$ssh_imap1->login('me');
print "logged in: ", scalar localtime, br;
my ($stdout, $stderr, $exit) = $ssh_imap1->cmd('pwd');
$stdout =~ s/\n/<br>/g;
print "<br>$stdout",
end_html();
--------------------------
creating ssh object: Sat Dec 16 21:44:04 2006
ssh object created: Sat Dec 16 21:44:04 2006
logging in: Sat Dec 16 21:44:04 2006
logged in: Sat Dec 16 21:45:44 2006
/home/me
ASKER
If I use the system's ssh on the command line or Net::SSH ina non cgi script, the login is almost instant. So far, I haven't been able to get Net::SSH to work in a cgi environment. The problem only shows itself when using the Net::SSH::Perl module, so I don't think it's the servers.
There might be something wrong with my module installation, however it installed with any errors. The only issue was during the 'make test', it took hours to complete; seemed to hang (or was busy doing something) on test #3 (I thnk), but it finally finished without any failed tests. However, it did skip a couple POD related tests.
There might be something wrong with my module installation, however it installed with any errors. The only issue was during the 'make test', it took hours to complete; seemed to hang (or was busy doing something) on test #3 (I thnk), but it finally finished without any failed tests. However, it did skip a couple POD related tests.
> So far, I haven't been able to get Net::SSH to work in a cgi environment.
Does that mean you've gotten it to work in a non-cgi environment?
Does that mean you've gotten it to work in a non-cgi environment?
ASKER
Yes, Net::SSH works in a non-cgi environment.
I see you've set debugging on, so what's the debug output?
A common issue when ssh connections take a long time is DNS resolution, specifically reverse lookups.
A common issue when ssh connections take a long time is DNS resolution, specifically reverse lookups.
ASKER
I'm currently not in the office and won't be there until Tues. As soon as I can, I'll post the debug output, which btw, only goes to the apache error log and not to the browser as I was expecting. I guess I need to re-read the docs on warningsToBrowser.
I doubt that it's a DNS issue, because ssh from the shell and from Net::SSH works without the time lag. To rule out DNS, I'll run a test using the IP address, but this problem only shows up when using Net::SSH::Perl.
I doubt that it's a DNS issue, because ssh from the shell and from Net::SSH works without the time lag. To rule out DNS, I'll run a test using the IP address, but this problem only shows up when using Net::SSH::Perl.
ASKER
BTW, I've also posted this question in the mailing list for the module ( http://lists.sourceforge.net/lists/listinfo/ssh-sftp-perl-users ) and may send an email directly to the module's maintainer, if we can't find a solution.
Net::SSH should be faster than Net::SSH::Perl
what goes wrong in a cgi environment?
what goes wrong in a cgi environment?
ASKER
I haven't done a lot of troubleshooting of Net::SSH, but it appears to be a problem with accessing the ssh key(s) when used in cgi environment. Which makes sense because I think it's looking for the key in /home/apache/.ssh which doesn't exist because apache is a no login account.
My first attempts in the script were going out to the shell and using the system ssh command, and then I tested Net::SSH. Both of which work fine in most scripts, but not in my cgi environment. I ran a test by giving apache a login shell and after moving over the ssh keys, the cgi ssh script worked. Since Net::SSH is a wrapper for the system's ssh command and we don't want to have shell access for the apache account, I held off the additional testing of that approach and moved to testing Net::SSH::Perl.
If there is a way to use Net::SSH in a cgi environment without giving apache a login shell, I would probably prefer going that route instead of Net::SSH::Perl.
My first attempts in the script were going out to the shell and using the system ssh command, and then I tested Net::SSH. Both of which work fine in most scripts, but not in my cgi environment. I ran a test by giving apache a login shell and after moving over the ssh keys, the cgi ssh script worked. Since Net::SSH is a wrapper for the system's ssh command and we don't want to have shell access for the apache account, I held off the additional testing of that approach and moved to testing Net::SSH::Perl.
If there is a way to use Net::SSH in a cgi environment without giving apache a login shell, I would probably prefer going that route instead of Net::SSH::Perl.
On most systems, the Apache user doesn't have a login shell. Typical settings are /sbin/nologin or /bin/false
Running ssh or Net::SSH should not require a login shell for the user concerned if you have the ssh keys already setup. However, it does depend on what you want to do on the other end of the ssh connection. If you want to run a command, then the remote user will need a valid login shell. However, if you just want to transfer files, then a shell of /bin/false (or similar) is sufficient.
Running ssh or Net::SSH should not require a login shell for the user concerned if you have the ssh keys already setup. However, it does depend on what you want to do on the other end of the ssh connection. If you want to run a command, then the remote user will need a valid login shell. However, if you just want to transfer files, then a shell of /bin/false (or similar) is sufficient.
ASKER
The web app I'm developing for email account administration on our imap servers, so I need to be able to create, modify and delete user accounts on each server. I realize that the apache user normally doesn't have a login shell; I created one just for testing/debugging the script. The production script won't have a login shell for apache.
If that's the case, then Net::SSH should work just fine.
ASKER
I got a response back on the module's mailing list and installing Math::BigInt is supposed to solve the problem. I'll test it on Tues and let you know.
One advantage of the Net::SSH::Perl module is that it keeps the socket connection open so that I don't need to do the key exchange/authorization for each call like would happen if I used the shell or Net::SSH.
One advantage of the Net::SSH::Perl module is that it keeps the socket connection open so that I don't need to do the key exchange/authorization for each call like would happen if I used the shell or Net::SSH.
ASKER
Sorry for the delay in posting an update. Due to the holidays and other issues at work, I had to put this on a "back burner".
After receiving a couple other responses from the mailing list and doing a little testing, I found out that Math::BigInt wasn't the only missing module. The most important missing module was Math::BigInt::GMP which needed Math::BigInt and YAML. After installing those 3 modules, authentication time dropped to .5 to 2 seconds depending on the server load.
After receiving a couple other responses from the mailing list and doing a little testing, I found out that Math::BigInt wasn't the only missing module. The most important missing module was Math::BigInt::GMP which needed Math::BigInt and YAML. After installing those 3 modules, authentication time dropped to .5 to 2 seconds depending on the server load.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
although if one server does not depend on another, you could connect to all four servers simultaneously so you don't have to wait four separate times.