Slow SSH connections – hanging at GSSAPI auth
by bigpresh on Mar.29, 2011, under Linux, System Administration
A particular box at $work had been slow to SSH to for a while, and I finally wanted to spend the time to find out why.
Running ssh -v thatmachine showed that it was hanging whilst attempting to authenticate with GSSAPI, with the slow section looking like:
debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug1: Unspecified GSS failure. Minor code may provide more information debug1: Next authentication method: publickey debug1: Offering public key: /home/davidp/.ssh/id_rsa # authentication by public key then proceeded quickly
SSHing to the machine by IP instead, i.e. ssh -v 10.1.1.192, produced slightly different output:
debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied debug1: Next authentication method: publickey # authentication by public key then succeeded quickly
It’s clear that it’s trying to authenticate using GSS-API (Kerberos), failing, then moving on to public key auth.
The fix is simple – disable attempts to use GSS-API by adding the following to ~/.ssh/config:
GSSAPIAuthentication no
Before adding that:
[davidp@columbia:~]$ time ssh 10.1.1.192 touch /dev/null | grep real real 0m15.512s
After adding it:
[davidp@columbia:~]$ time ssh 10.1.1.192 touch /dev/null | grep real real 0m0.611s
Problem solved.
March 31st, 2011 on 2:20 am
Thanks a lot this save me lot of time lol.
July 18th, 2011 on 7:44 pm
Thanks!
This helped me out.
November 19th, 2011 on 6:17 pm
Thank you for taking the trouble to blog this – the old “Google the error” trick brung me here.
December 21st, 2011 on 12:26 am
Thank you! This really helped!
January 16th, 2012 on 12:15 pm
works.. thanks
March 31st, 2012 on 3:11 pm
I was searching for how to disable the GSSAPI! Thank you very much!
April 16th, 2012 on 12:28 pm
Thanks, this was very helpful for Ubuntu 11.10. ~/.ssh/config did not exist on U11.10, but I created it and it solved the problem. Thanks!
September 19th, 2012 on 8:33 pm
This will happen whenever the server cannot do a reverse dns lookup on the IP address of the client. Adding the client IP’s to the local hosts table on the ssh server host will also avoid the delay.
March 22nd, 2013 on 12:19 am
great! glad i found this. thanks for saving me hours more of searching (centos 6.4)!
April 3rd, 2013 on 9:02 pm
I had to create ~/.ssh/config as well, and it worked very well.
I’ve never dealt with GSSAPI before, and I’m very curious as to what, exactly, was causing it to hang. It doesn’t seem to affect any other Linux users in my company’s network, so it must be something that I’ve configured on my machine. Tried ssh -vvv, but it doesn’t give me any helpful information, except for “Cannot determine realm for numeric host address”. I’ll keep more digging, but just wanted to see if anyone else out there knows more…
Regardless, thanks for the tip!
April 24th, 2013 on 9:48 pm
Thanks!! It works!
July 4th, 2013 on 11:58 am
Thanks .. it worked .. for ubuntu users : the ssh config file is located@ /etc/ssh/ssh_config
August 6th, 2013 on 7:36 am
Thanks, activated change with service sshd restart
Nice tip!
September 3rd, 2013 on 10:54 am
Huh… Nice tip
For Ubuntu/mint combination you can uncomment this line in
/etc/ssh/ssh_config
Also, config file doesn’t exist in .ssh dir so you can create it yourself