[OpenWrt-Devel] Fwd: Removing Telnet

Janusz Dziemidowicz rraptorr at nails.eu.org
Tue Sep 8 12:31:10 EDT 2015

2015-09-08 18:00 GMT+02:00 Vittorio G (VittGam) <openwrt at vittgam.net>:
> Il 08.09.2015 17:42 Brent Thomson ha scritto:
>> Slowness probably depends on hardware as well as all the possibilities
>> listed by others. I have a model of router that always takes 2-3
>> seconds to initiate an SSH connection, just to set up encryption
>> (brief, but computationally intensive; happens with every connection).
>> 10 seconds seems really slow, though. Smells like DNS.
> It might not be DNS in fact. On AR9331 (MIPS 24k CPU, not that fast...)
> starting from Barrier Breaker SSH is pretty slow (3-4 seconds), so on
> slower routers the login time can be longer.
> If you login with ssh -v, you can see that it waits between
>> debug1: expecting SSH2_MSG_KEXDH_REPLY
> and
>> debug1: Server host key: RSA [...]
> If you check the CPU usage on the router while the client is waiting for
> the reply, you can see that dropbear is at 100%.

SSH time can be greatly reduced by using ECDSA host key. Dropbear can
be compiled with ECDSA support, however:
- it is disabled by default in OpenWRT
- startup script only generates RSA/DSA host keys, ECDSA host key must
be generated manually

Using 256 bit ECDSA host key reduces SSH login time for me from 0.7s
down to 0.13s. Tested on Netgear WNDR3800, ar71xx/generic, I am not
sure about other architectures.
I can try to send a patch that enables ECDSA by default and fixes the
startup script, if there is any interest. dropbear package size
increases by about 20kB.

Janusz Dziemidowicz
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list