ssh takes a long time to connect on some hosts

Solution 1:

Since you are getting GSS failure, you can try adding:

GSSAPIAuthentication no

to /etc/ssh/sshd_config. Then restart the service

/etc/init.d/sshd restart

Solution 2:

Try adding the following line to /etc/ssh/sshd_config on node2:

UseDNS no

Then restart sshd:

/etc/init.d/ssh restart

Or if the above doesn't exist:

/etc/init.d/sshd restart

Solution 3:

Edit /etc/ssh/sshd_config on the server and add (if it's not there) at the bottom UseDNS no then restart the SSH daemon.

Will stop your machines from resolving DNS and will speed up the process.


Solution 4:

  1. Take a look here: OpenSSH FAQ especially chapter 3.3. It also points to some other possible delay causes.
  2. or Most appropriate method to know the problem is to connect using ssh in debug mode:

    # ssh -v <Server name>
    
    OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to mysql [192.168.0.29] port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: RSA 1a:2c:c4:62:cc:27:1b:76:6b:f7:b2:38:00:7b:3f:63
    debug1: Host 'mysql' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:5
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    ->> debug1: Next authentication method: gssapi-keyex
    debug1: No valid Key exchange context
    debug1: Next authentication method: gssapi-with-mic
    debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_0' not found<br/>
    

    Line marked with arrow was causing the delay in my case. I commented out following line on the destination server and it resolved the issue in my case

    #GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPIAuthentication yes
    #GSSAPICleanupCredentials yes
    #GSSAPICleanupCredentials yes
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    

    restart the SSH daemon on the remote server and try to reconnect.. it s fine!

  3. Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1) can take a long time to resolve “IPv6 or IPv4″ addresses from domain names. This can be worked around with by specifying AddressFamily inet option in ssh_config.
  4. There may be a DNS lookup problem, either at the client or server. You can use the nslookup command to check this on both client and server by looking up the other end’s name and IP address. In addition, on the server look up the name returned by the client’s IP-name lookup. You can disable most of the server-side lookups by setting UseDNS no in sshd_config.

Tags:

Ssh