X11 Forwarding very slow


Server: openSUSE 12.3 (x86_64)
Client: putty
Firewall: Disabled
IPv6: Disabled
Connection:GbE LAN


Dear all,

I have setup X11 forwarding in openSUSE 12.3 and I am able to run applications such as konsole, kate from client, but the response is very slow.
After starting kate, “Tip of the Day” takes about 5 seconds to appear.
Same with menus. They appears 5 seconds after clicking.

I also have a machine with openSUSE 12.1, but it is working normally with fast response.
So seems like the problem is on SUSE 12.3.

I have also tested on SUSE 12.2 and it also had the same problem for me.

Could someone tell me what could be the cause of the slow response?

Thank you

sshd_config of SUSE 12.3:

$OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

#Port 22
AddressFamily inet
ListenAddress 0.0.0.0
#ListenAddress ::

The default requires explicit activation of protocol 1

#Protocol 2

HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h
#ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

similar for protocol version 2

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no
#PermitEmptyPasswords no

Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

Set this to ‘yes’ to enable support for the deprecated ‘gssapi’ authentication

mechanism to OpenSSH 3.8p1. The newer ‘gssapi-with-mic’ mechanism is included

in this release. The use of ‘gssapi’ is deprecated due to the presence of

potential man-in-the-middle attacks, which ‘gssapi-with-mic’ is not susceptible to.

#GSSAPIEnableMITMAttack no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to ‘no’.

UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes

#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp /usr/lib/ssh/sftp-server

This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server


sshd_config of SUSE 12.1:

$OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options change a

default value.

#Port 22
AddressFamily inet
ListenAddress 0.0.0.0
#ListenAddress ::

The default requires explicit activation of protocol 1

#Protocol 2

HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h
#ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

similar for protocol version 2

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no
#PermitEmptyPasswords no

Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

Set this to ‘yes’ to enable support for the deprecated ‘gssapi’ authentication

mechanism to OpenSSH 3.8p1. The newer ‘gssapi-with-mic’ mechanism is included

in this release. The use of ‘gssapi’ is deprecated due to the presence of

potential man-in-the-middle attacks, which ‘gssapi-with-mic’ is not susceptible to.

#GSSAPIEnableMITMAttack no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to ‘no’.

UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp /usr/lib/ssh/sftp-server

This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server


A bit late but did you find a solution for your problem. I have a new server running openSUSE 12.3 and X11forwarding is really slow on this. I have an old box running openSUSE 11.4 and there it’s much faster.

If I run ssh -Y -C … then it’s somewhat faster but not as fast as on the old box.

/Anders

Sorry, this is late, but I have been having the same problem. In my case it’s slow only when opening QT4 applications remotely. I think that this Ubuntu thread is related:

https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1077965

Setting the environment variable QT_GRAPHICSSYSTEM=“native” mitigates the problem but it does not completely eliminates it in my case. It really affects only QT4 applications. QT3 and GTK applications run fine. There is an article here about the new QT raster engine which might be the culprit:

Qt Graphics and Performance – The Raster Engine | Qt Blog