57

I have noticed that some Linux Servers in Network takes long time to connect using ssh.

Situations:

There are two situations I have faced:

  1. On some servers some times it takes a long time to ask for password

  2. but on other servers When I insert the password it doesn't respond . And after some time say 20 0r 30 seconds it just say Connection Closed

Detail for 1 case:

debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /home/umairmustafa/.ssh/id_rsa
debug1: Trying private key: /home/umairmustafa/.ssh/id_dsa
debug1: Trying private key: /home/umairmustafa/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
Anthon
  • 79,293
OmiPenguin
  • 4,308
  • 2
    Please include the last few lines from running with ssh -vv when it's taking a long time to respond. Also, if you have access to the server logs, the entries from your connecting will probably be helpful as well. As the question stands, any answer can only really be guesswork. – user Feb 17 '13 at 12:05
  • Updated Question. – OmiPenguin Feb 17 '13 at 13:21
  • Much better now. I don't have an answer, but it's plenty more answerable with the additional information. +1. – user Feb 17 '13 at 14:00

5 Answers5

54

I had this same problem just this morning...

Edit your /etc/ssh/sshd_config to set GSSAPIAuthentication no

daisy
  • 54,555
MikeV
  • 1,390
  • 12
  • 16
  • yes, this worked good – Silver Moon Mar 15 '14 at 05:12
  • 7
    I had to run /sbin/service sshd restart after the edit to get this to work – ContextSwitch Jul 18 '14 at 18:37
  • 1
    That worked for me (specifically, setting this on the client machine that I was trying to log in to, then restarting sshd on it). – Charles Rezk Apr 10 '16 at 17:34
  • 6
    Care to elaborate further? Why should we do this? – Timothy Pulliam Oct 10 '18 at 15:05
  • 2
    @TimothyPulliam - A few thoughts 1) OPENssh uses this API and the underlying kerberos 5 code to provide a alternative means of authentication other than ssh_keys and I suspect most users are just using ssh_keys 2) From Oracle Linux Finding V-22473 "Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed." so it sounds like it improves security 3) Users who can't edit /etc/ssh/sshd_config can put it in their ~/.ssh/config file – MikeV Oct 31 '18 at 23:53
  • Is there a plan B if this doesn't solve the problem? // In my case, I'm ssh'ing from one RHEL 7 box to another, both VMs. I have root on the remote, edited both ssh_config and sshd_config just to be sure, restarted sshd, and local still hangs before password prompt. // How can I diagnose this further? I could use another answer to this question fleshing this out more, even if I have to write it myself... – Paul Brinkley Jan 10 '19 at 15:27
29

Often this happened to me when DNS was not correctly configured, but SSH is trying to do a reverse lookup on every connect, so it might be waiting for some high timeouts. Try doing this in /etc/ssh/sshd_config:

UseDNS no

And then restart the SSH daemon. This will make it not use reverse lookups anymore.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
replay
  • 8,553
  • 1
  • 27
  • 31
  • 4
    That is just papering over a serious problem. Fix DNS. – vonbrand Feb 17 '13 at 13:19
  • 2
    Not necessarily, we just decided to not use DNS in our production environment. – replay Feb 17 '13 at 13:29
  • 1
    Great idea. Just manage /etc/hosts by hand on all your machines. Wellcome back to the good old days of the nascent Internet! – vonbrand Feb 17 '13 at 13:41
  • I agree with you that in 90% of the cases it totally makes sense to have an internal DNS, just in our particular case it did not. – replay Feb 17 '13 at 13:45
  • 3
    @vonbrand Sounds like FUD. What reasoning do you have that UseDNS no is bad? – phemmer Aug 12 '14 at 16:25
  • 2
    @Patrick The option itself isn't bad, but it shouldn't be used to hide, "paper" over a DNS problem (which would probably be more important). – John WH Smith Oct 28 '14 at 17:51
  • @JohnWHSmith what aspect of the DNS server is not working properly that makes UseDNS no faster? – localhost Jul 27 '17 at 04:08
7

If you do not want to change any server configurations

Go to $HOME/.ssh/config and add

Host *
  GSSAPIAuthentication no
Mutuma
  • 171
5

I found another reason that was causing ssh to take a minute or two to connect. If you make your connection as follows:

ssh -i keypair.pem user@hostname.domain.com

and hostname.domain.com has both an IPv4 and Ipv6 address, it stalls out trying to connect over IPv6 first, then finally falls back to IPv4.

Simple fix, force it to use IPv4 only.

ssh -4 -i keypair.pem user@hostname.domain.com

Or connect by IP address directly

ssh -i keypair.pem user@30.40.50.60
selbie
  • 151
  • 1
  • 2
  • Thanks @selbie. If this is the case you can then add AddressFamily inet to your ~/.ssh/config for this host. – Cyrille Nov 06 '20 at 09:34
2

I have recently found another cause of slow ssh logins.

Even if you have "UseDNS no" in /etc/sshd_config, sshd may still perform reverse DNS lookups if /etc/hosts.deny has an entry like nnn-nnn-nnn-nnn.rev.some.domain.com. That might happen if you have Denyhosts installed in your system.

It would be great if someone knew how to make Denyhosts avoid putting this kind of entry in /etc/hosts.deny.

Here is a link to the Denyhosts FAQ on how to remove entries from /etc/hosts.deny

Marcelo Roberto Jimenez
  • 171