ssh login delays

Subject:

references: http://ask.xmodulo.com/fix-slow-ssh-login-issue-linux.html

 

How to fix a slow SSH login issue on Linux

Question: When I try to connect to a remote SSH server, it takes very long time (30 seconds to 2 minutes) before password prompt appears. Why is SSH login so slow to start, and how can I get rid of long delay in SSH login?

If you have to wait very long for SSH password prompt, there could be several things that may go wrong. To troubleshoot the root cause of slow SSH login, you can run ssh command with "-vvv" option, which will show you what's happening behind the scene during SSH login.

$ ssh -vvv user@<ssh-server>

 

Here are possible solutions to the delayed SSH login problem.

Disable GSSAPI Authentication

One possible culprit (as indicated in the SSH client log above) is GSSAPI authentication. During SSH login, SSH client goes through a series of authentication steps, and one of them is GSSAPI authentication, where an SSH server contacts a GSSAPI server to validate client authentication. On Linux distros such as CentOS, GSSAPI authentication is enabled by default, and GSS failure can add long delay in SSH session start.

To disable GSSAPI authentication on an SSH server, look for "GSSAPIAuthentication" in /etc/ssh/sshd_config, and edit it or add the line as follows.

$ sudo vi /etc/ssh/sshd_config

GSSAPIAuthentication no

Then restart SSH server:

$ sudo /etc/init.d/ssh restart (Debian, Ubuntu or Linux Mint)$ sudo systemctl restart sshd (Fedora)$ sudo service sshd restart (CentOS or RHEL)

Disable Reverse DNS Lookup

Another possibility for slow SSH login is reverse DNS lookup. On Linux distros such as Ubuntu, when an SSH server receives a login request from a client, the server performs reverse DNS lookup of the client's IP address for security reason. If the reverse DNS lookup fails, lookup timeout will add to SSH login delay.

To disable reverse DNS lookups on an SSH server, edit SSH server configuration as follows.

$ sudo vi /etc/ssh/sshd_config

# add this line UseDNS no

Then restart SSH server:

$ sudo /etc/init.d/ssh restart (Debian, Ubuntu or Linux Mint)$ sudo systemctl restart sshd (Fedora)$ sudo service sshd restart (CentOS or RHEL)

2015-02-10 09:28:00gstlouis

note: GSSAPI is not necessary so it is safe to work with the fix above.

references: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface

How it works

The GSSAPI, by itself, does not provide any security. Instead, security-service vendors provide GSSAPI implementations - usually in the form of libraries installed with their security software. These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the vendor-independent GSSAPI. If the security implementation ever needs replacing, the application need not be rewritten.

The definitive feature of GSSAPI applications is the exchange of opaque messages (tokens) which hide the implementation detail from the higher-level application. The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations. GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security. After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that a security context has been established.

gstlouis
vote
2015-02-10 09:34:47