What slows down my ssh login?

Question

Every time I ssh login to a server, it is always very slow. As a reply to my earlier post said, "grepping through a 200 line file should take millisecond or so, so I would doubt it's that."

I tried ssh -vvv time@server and the output has been uploaded here. I found that when proceeding to each of these three lines in the output, it is particularly slow:

debug1: Next authentication method: gssapi-with-mic 

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found 


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

I wonder why and what I can do to change it? Thanks and regards!

Update:

Ignacio's reply suggests me to "disable all GSS/Kerberos auth methods in your configuration."

So in /etc/ssh/ssh_config, do I have to make sure "no" is behind each of all options starting with "GSS": GSSAPIAuthentication, GSSAPIDelegateCredentials, GSSAPIKeyExchange, GSSAPITrustDNS, GSSAPIAuthentication, and GSSAPIDelegateCredentials?

Then what are the options for "Kerberos" auth method that I need to put "no" behind?

PS: following is the content of my local /etc/ssh/ssh_config with commented options not copied to here:

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

@Gilles: Thanks, I fixed my problem from that post. Before I had to wait the cursor to flash 30 times, now it takes the cursor to flash 7 times. (1) Is it now a normal speed to wait the cursor to flash 7 times? (2) Why does it work by commenting out GSSAPIAuthentication yes and GSSAPIDelegateCredentials no? — Tim, Jan 20 '12 at 00:18
Here is an answer that addresses a possible cause for slow down. — Marcelo Roberto Jimenez, Oct 24 '16 at 21:59

score 15 · Answer 1 · answered Jan 19 '12 at 01:13

15

debug1: Next authentication method: gssapi-with-mic

That's Kerberos. Disable all GSS/Kerberos auth methods in your configuration. See the ssh_config(5) man page, PreferredAuthentications option, for more details.

answered Jan 19 '12 at 01:13

Ignacio Vazquez-Abrams

45,725

Thanks! By "your configuration", you mean my local one or the remote server's? – Tim Jan 19 '12 at 01:45
PreferredAuthentications is on the client. On the server, use GSSAPIAuthentication instead. – Ignacio Vazquez-Abrams Jan 19 '12 at 01:48
1

Thanks! So in /etc/ssh/ssh_config, (1) do I have to make sure "no" is behind each of all options starting with "GSS": GSSAPIAuthentication, GSSAPIDelegateCredentials, GSSAPIKeyExchange, GSSAPITrustDNS, GSSAPIAuthentication, and GSSAPIDelegateCredentials? (2) what are the options for "Kerberos" auth method that I need to put "no" behind?
PS: I just updated my post with the content of my local /etc/ssh/ssh_config.
– Tim Jan 19 '12 at 02:02
1
Modifying PreferredAuthentications is enough. 2. Kerberos uses GSS; disabling GSS is enough.

Ignacio Vazquez-Abrams

Jan 19 '12 at 02:06

Thanks! May I ask how to modify PreferredAuthentications? I cannot find it in ssh_config(5) manpage – Tim Jan 19 '12 at 02:10

Which version are you running that doesn't have it? – Ignacio Vazquez-Abrams Jan 19 '12 at 02:15

ssh version is OpenSSH_5.5p1 Debian-4ubuntu6, OpenSSL 0.9.8o 01 Jun 2010. I can't find PreferredAuthentications in my /etc/ssh/ssh_config file for me to modify. – Tim Jan 19 '12 at 02:20

I put PreferredAuthentications no in my /etc/ssh/ssh_config, but it doesn't work because ofPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive). – Tim Jan 20 '12 at 00:16

Thank you; you solved my debilitating problem waiting 60 seconds to SSH into RedHat servers. – PP. Jun 21 '13 at 10:52

1

Leverage the SSH client config.d directory: Create a file /etc/ssh/ssh_config.d/10-gssapiauthentication-no.conf with the following content: GSSAPIAuthentication no ... And notice this is with directory /etc/ssh/ssh_config.d/, ... not /etc/ssh/sshd_config.d/ ... Because this is an SSH client configuration, not an SSH server configuration. – Abdull Feb 07 '23 at 18:22

score 3 · Answer 2 · answered Jan 19 '12 at 20:48

3

UseDNS no and CheckHostIP no should speed up things, too.

It is also a good security measure to allow protocol 2 only. If you don't need IPv6 disable it (AddressFamily).

answered Jan 19 '12 at 20:48

Nils

18,492

score 1 · Answer 3 · answered Aug 28 '14 at 11:24

For me I needed GSSAPI and I didn't want to turn off reverse DNS lookups, that just didn't seem like a good idea so I checked out the man page for resolv.conf. It turns out that a firewall between me and the servers I was SSHing to was interfering with DNS requests because they weren't in a form that the firewall expected. In the end all I needed to do was add this line to resolv.conf on the servers that I was SSHing to -

options single-request-reopen

For anyone investigating similar problems, see also: http://unix.stackexchange.com/a/141278/23367 — tuomassalo, Mar 09 '16 at 13:11

score 1 · Answer 4 · answered Jul 18 '13 at 20:07

Could it be ssh/etc/ssh_prng_cmds? There is a job in ssh that runs a series of commands to make stuff random as you log in. One of those commands is probably taking too long because it is doing something that is silly on your computer. The only thing I can think of now is that ssh requires the computer to cut down the largest tree in the forest with......

a HERRING.

So "run" some of these commands from a prompt and find out with one takes a long time to respond. Comment out THAT one.

What slows down my ssh login?

4 Answers4

Linked