Fixing SSH Login Long delay

Original: http://injustfiveminutes.com/2013/03/13/fixing-ssh-login-long-delay/

For a long time I had a problem with SSH login on a Redhat 6 server–it is taking too long to connect to it, around Econds. Normally it hasn ' t been a big issue–after all, your connect once and work for all day as long as you enable server Keepal Ive Packetsto Avoid session timeout.

However when it comes into work with SFTP o GIT it might become annoying. Everytime you sFTP upload or git push that has to wait for the seconds again.

This kind of problems be often related to DNS issues it is not always the case. Following is the most common solutions:

1. Disable reverse IP resolution on SSH server

It turns out there are a setting in OpenSSH the controls whether SSHd should not only resolve remote host names but also C Heck whether the resolved host names map back to remote IPs. Apparently, that's setting is enabled by the default in OpenSSH. The directiveUsedns Controls This particular behaviour of OpenSSH, and while it's commented in Sshd_config (whic The default configuration file for the OpenSSH daemon in most enviornments), as per the "man" page for Sshd_config, the Default for Usedns are set to Enabled. Add the following line:

Usedns No

2. DNS resolver fix for Ipv4/ipv6 enabled stacks

It's a known issue on the Red Hat Knowledgebase article DOC-58626, but since it ' s closed without login, I'll share the Sol Ution below:

The resolver uses the same socket for the A and AAAA requests. Some hardware mistakenly only sends back one reply. When that happens the client sytem will sit and wait for the second reply. Turning this option on changes this behavior so that if two requests from the same port are not handled correctly it will close the socket and open a new one before sending the second request.

The solution is to add the following line to your /etc/resolv.conf. Just add it all the the-the-bottom, as the last line.

Options Single-request-reopen

3. Disable GSSAPI Authentication method

OpenSSH server enables by default the GSSAPI key exchange which allows your leverage an existing key management Infrastr Ucture such as Kerberos or GSI, instead of have to distribute SSH host keys throughout your organisation. With GSSAPI key Exchange servers does not need SSH host keys when being accessed by clients with valid credentials.

If you is not using GSSAPI as a authentication mecanism, it might is causing this connection delay.

In my particular case, I-ran ssh-v myserver to find-out it's hanging whilst attempting to authenticate WI Th GSSAPI, with the slow sections looking like:

... Debug2:key:/home/user/.ssh/id_rsa (0xb961d7a8) Debug2:key:/home/user/.ssh/id_dsa ((nil)) Debug2:key:/home/ USER/.SSH/ID_ECDSA (nil)) debug1:authentications that can continue:publickey,gssapi-keyex,gssapi-with-mic, Passworddebug3:start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,passworddebug3:preferred Gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,passworddebug3:authmethod_lookup Gssapi-keyexdebug3 : Remaining preferred:gssapi-with-mic,publickey,keyboard-interactive,passworddebug3:authmethod_is_enabled  Gssapi-keyexdebug1:next Authentication Method:gssapi-keyexdebug1:no Valid Key Exchange Contextdebug2:we did not send a Packet, disable Methoddebug3:authmethod_lookup gssapi-with-micdebug3:remaining Preferred:publickey, Keyboard-interactive,passworddebug3:authmethod_is_enabled Gssapi-with-micdebug1:next authentication Method:  Gssapi-with-micdebug1:unspecified GSS failure. Minor code may provide more informationcredentials CAChe file '/tmp/krb5cc_1000 ' not founddebug1:unspecified GSS failure.   Minor code may provide more informationcredentials the cache file '/tmp/krb5cc_1000 ' not founddebug1:unspecified GSS failure. Minor code may provide more information

Turned out that it is stalling after trying gssapi-with-mic authentication method. Had several "Unspecified GSS failure" messages with several seconds delay between them, therefore it was definitely the RO OT cause of long delays.

The fix is simple–disable attempts to use GSS-API by adding the following to/etc/sshd_config (server side) or yout ~/.S Sh/ssh_config (client side).

Gssapiauthentication No

There is a easy and easy-to-check beforehand whether this solution would work. Try to SSH in your server by disabling GSSAPI authentication:

Ssh-o gssapiauthentication=no [email protected]

Fixing SSH Login Long delay