Fix Slow SSH Logins on Linux

PowerADM.com / Linux / Fix Slow SSH Logins on Linux

In some cases, when connecting to a Linux host via SSH, there can be a very long delay before a password prompt appears (from 30 seconds up to 2 minutes).

You can find out how long an SSH login takes with the command:

$ time ssh -l sysops 192.168.158.129 uname -r

Slow SSH login on Linux

In this case, the total delay during the SSH login is about 30 seconds.

Slow SSH logins are most often caused by unsuccessful attempts to resolve DNS names. This means that an incorrect or unavailable name server is specified in the host’s DNS settings. Check and fix this in the file:

# vim /etc/resolv.conf
You can also enable the local DNS client cache on Linux.

If you are using Ubuntu with Network Manager, you can use the following command to find out the current DNS settings:

$ nmcli device show | grep IP4.DNS

Also, by default, when the SSH server receives a connection request from a client, it attempts to perform a reverse DNS lookup for the client’s IP address. If DNS is unable to resolve the address, this check can take a long time due to timeouts.

You can reduce the SSH login timeout by disabling name resolution on the connection. Edit the /etc/ssh/sshd_config file and uncomment the option:

UseDNS no

ssh disable dns reverse lookup

Restart SSHD:

$ sudo systemctl restart sshd || systemctl restart ssh
The problem is similar to the one in the case of the slow startup of mc (Midnight Commander) in Linux.

To get a detailed log of actions taken during an SSH connection, add the -vvv option:

ssh sysops@192.168.158.129 -vvv

log ssh client connection

For example, you will see several different authentication methods being tried during the connection phase.

debug1: Next authentication method: gssapi-keyex
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Next authentication method: publickey
debug1: Next authentication method: password

Disable unused authentication methods in /etc/ssh/sshd_config to speed up SSH login:

GSSAPIAuthentication no
GSSAPICleanupCredentials yes
# If AD authentication is not used
KerberosAuthentication no
# deprecated
ChallengeResponseAuthentication no

Save the file and restart SSHD.

In some scenarios (e.g. when using .local zones), you may need to change this line in /etc/nsswitch.conf for faster DNS resolution:

hosts:          files mdns4_minimal [NOTFOUND=return] dns

to

hosts: files dns

Restart the Avahi daemon:

# /etc/init.d/avahi-daemon restart

Slow SSH logins can also be caused by timeouts when resolving IPv6 names. In this case, you can force the SSH connection to use IPv4 only:

$ ssh -4 sysops@192.168.158.129
Leave a Reply

Your email address will not be published. Required fields are marked *