Sunday, October 14, 2007

Slow SSH logins in Ubuntu Feisty (7.04)

There are two major reasons (I know of) that can cause extremely slow SSH logins - anywhere in the range of 15-30 seconds. It doesn't seem like a long time, but it takes forever to wait that out sitting at the terminal.

Say no to GSSAPIAuthentication


For some reason, GSSAPIAuthentication is turned on by default in Ubuntu Feisty (7.04). If you ssh -v somewhere.com, you'll see this in the output:
...
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: SSH2_MSG_KEXINIT sent
...

There are two ways to fix it. You can edit either /etc/ssh/ssh_config to include
GSSAPIAuthentication no

Or, you can edit ~/.ssh/config and add the same line. The only difference is that /etc/ssh/ssh_config will affect all systems users - probably a good thing.

Slow/broken DNS lookups


Each time you log into an OpenSSH server, it will typically perform a reverse-lookup on your IP address and store it in wtmp (try running the command "last"). If that DNS lookup times out, you'll be in for a big delay. Whats worse, OpenSSH has a habit of performing the lookup 3 or 4 times, further extending the delay to 30 seconds or more.

Its generally best to fix the source of the problem by fixing whatever problem exists in your DNS infrastructure. This could be as simple as pointing /etc/resolv.conf to the correct nameserver.

If you're really in a bind, you can pass the -u0 flag to sshd. Unfortunately, the sshd man page does not reveal any config file options to accomplish the same thing. But, the -u0 flag will stop sshd from performing any lookups that are not absolutely necessary as part of the authentication mechanism.

No comments:

Post a Comment