Slow SSH connections – hanging at GSSAPI auth

A particular box at $work had been slow to SSH to for a while, and I finally wanted to spend the time to find out why.

Running ssh -v thatmachine showed that it was hanging whilst attempting to authenticate with GSSAPI, with the slow section looking like:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found
debug1: Unspecified GSS failure.  Minor code may provide more information
debug1: Next authentication method: publickey
debug1: Offering public key: /home/davidp/.ssh/id_rsa
# authentication by public key then proceeded quickly

SSHing to the machine by IP instead, i.e. ssh -v 10.1.1.192, produced slightly different output:

debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
debug1: Next authentication method: publickey
# authentication by public key then succeeded quickly

It’s clear that it’s trying to authenticate using GSS-API (Kerberos), failing, then moving on to public key auth.

The fix is simple – disable attempts to use GSS-API by adding the following to ~/.ssh/config:

GSSAPIAuthentication no

Before adding that:

[davidp@columbia:~]$ time ssh 10.1.1.192 touch /dev/null | grep real
real	0m15.512s

After adding it:

[davidp@columbia:~]$ time ssh 10.1.1.192 touch /dev/null | grep real
real	0m0.611s

Problem solved.

14 thoughts on “Slow SSH connections – hanging at GSSAPI auth”

  1. Thanks, this was very helpful for Ubuntu 11.10. ~/.ssh/config did not exist on U11.10, but I created it and it solved the problem. Thanks!

  2. This will happen whenever the server cannot do a reverse dns lookup on the IP address of the client. Adding the client IP’s to the local hosts table on the ssh server host will also avoid the delay.

  3. I had to create ~/.ssh/config as well, and it worked very well.

    I’ve never dealt with GSSAPI before, and I’m very curious as to what, exactly, was causing it to hang. It doesn’t seem to affect any other Linux users in my company’s network, so it must be something that I’ve configured on my machine. Tried ssh -vvv, but it doesn’t give me any helpful information, except for “Cannot determine realm for numeric host address”. I’ll keep more digging, but just wanted to see if anyone else out there knows more…

    Regardless, thanks for the tip!

  4. Thanks .. it worked .. for ubuntu users : the ssh config file is located@ /etc/ssh/ssh_config

  5. Huh… Nice tip

    For Ubuntu/mint combination you can uncomment this line in
    /etc/ssh/ssh_config

    Also, config file doesn’t exist in .ssh dir so you can create it yourself

Comments are closed.