4

As the title says. Upgraded Bookworm > Trixie, and now ssh is hanging 10 seconds at login, via home local network, when it never used to.

2025-08-17T16:07:29.828339+10:00 debian sshd-session[4260]: debug3: monitor_read: checking request 22 2025-08-17T16:07:29.829163+10:00 debian sshd-session[4260]: debug3: mm_answer_keyallowed: entering 2025-08-17T16:07:29.830353+10:00 debian sshd-session[4260]: debug1: temporarily_use_uid: 0/0 (e=0/0) *note 10 seconds between actions* 2025-08-17T16:07:38.982142+10:00 debian sshd-session[4260]: debug1: restore_uid: 0/0 2025-08-17T16:07:38.983847+10:00 debian sshd-session[4260]: debug1: temporarily_use_uid: 0/0 (e=0/0) 2025-08-17T16:07:38.984723+10:00 debian sshd-session[4260]: debug1: trying public key file /root/.ssh/authorized_keys 2025-08-17T16:07:38.987609+10:00 debian sshd-session[4260]: debug1: fd 11 clearing O_NONBLOCK

Loglevel DEBUG3. Before the upgrade, it never hung. Now it hangs for 10 seconds nearly every login, but not every login. I have set UseDNS no, UsePAM no in sshd_config. I have diffed sshd_config's and there's no setting changes or additions. I've disabled IPV6 in /etc/sysctl.conf with

net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1

It doesn't appear to be the hard drive spinning down; although hdparm is set to only 120, it does it if I log in, and immediately open another session. For what it's worth, running ps is also often slow to respond, taking 10 seconds to output anything. This is a Seagate nas system that has run flawlessly in the past. It doesn't appear to be a process hogging cpu cycles or ram; the nas has a very average processor that, when taxed, makes the fan run at high speed. This is not occurring, top shows load average: 0.18, 0.21, 0.17 and MiB Mem 489.9 total, 132.3 free, 142.6 used, 244.6 buff/cache.

Improve this question
4
  • What's the output of grep -E '^(passwd|group):' /etc/nsswitch.conf? Commented Aug 17 at 11:13
  • 1
    I'd do some strace -tt -ff -o some-file on the sshd process to see what it's doing. Commented Aug 17 at 11:15
  • @StéphaneChazelas passwd: files systemd winbind group: files systemd winbind Commented Aug 17 at 11:52
  • That's most likely down to queries to winbind for group membership which may timeout for some reason (like the Microsoft domain controller not being reachable) Commented Aug 17 at 12:51

1 Answer 1

Reset to default
4

Edit: samba-dcerpcd being called and taking time to start is the root cause of my system hangs. It is required for Samba to work on my system. It is called at ssh login, when executing ps, and during samba connections. It takes ~8 seconds to start, and then in turn calls 2 instances of rpcd_lsad which take 2-3 seconds to start. The fix in my instance is to run it as a daemon using systemd, and thus it is always running and not constantly starting and stopping. This can be achieved by creating a unit file that will call it at the appropriate time, usually at system startup.

The following steps will enable samba-dcerpcd to run as a daemon on a systemd enabled system.

Make a file, as root, in /etc/systemd/system called samba-dcerpcd.service containing the code:

[Unit] Description=Samba DCERPC Daemon After=network.target smbd.service [Service] Type=forking PIDFile=/var/run/samba/samba-dcerpcd.pid ExecStart=/usr/libexec/samba/samba-dcerpcd -D --libexec-rpcds --ready-signal-fd=23 --debuglevel=0 [Install] WantedBy=multi-user.target

Note that the line of code after ExecStart= may be system specific; check your terminal for the running version with ps | grep samba-dcerpcd and copy it, but ensure you remove --np-helper when you copy the command to your unit file (it won't run as a daemon with this switch present) and add -D to daemonize it.

Run the commands systemctl daemon-reload, systemctl enable samba-dcerpcd.service (to enable autorun at boot time) and then systemctl start samba-dcerpcd.service to start it now (you only need to do these commands once).

You also must add the line rpc start on demand helpers = false under the [global] section of /etc/smb.conf else it will not daemonize.

Improve this answer
4
  • Is that machine integrated in a Microsoft Windows domain or even itself a Microsoft domain controller? If not, it may be preferable not to integrate the system's name service with samba and remove those winbind from nsswhitch.conf. Commented Aug 19 at 8:29
  • It's a nas running Debian. I'm not sure if it's any of those things you mentioned. Could you provide more information on what you're proposing? Commented Aug 19 at 8:46
  • Is it a NAS running Debian in a Microsoft-Windows-centric corporate environment? Are users and groups there local to the NAS or managed centrally in a Microsoft Active Directory? Or in a samba based directory on the NAS itself? Commented Aug 19 at 10:49
  • It's a home system, and I created a user tony on the nas who owns the shares, which is the same username on my Windows 11 laptop that access it I'm not sure if that means it's local to the nas or in a samba based directory. Commented Aug 19 at 11:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.