How to speed up a slow SSH login

I recently started using the excellent digital ocean for some of my cloud server hosting. When logging into my servers there was quite a delay, often a minute or more, before the password prompt appeared. I was getting the same delay when I use SSH keys for authentication too.

I’ve had to solve this problem before on several occasions, but I always end up re-investigating the cause. So this time I thought it was about time I made a note of how  to fix the problem.

Right! First off let’s see where the delay is by logging on the the server with the ssh debugging enabled. This is done by using the -v switch:

ssh -v root@server-ip-address

This shows conversation that the ssh client is having with the server as it negotiates a suitable authentication method.

For me, whenever I see long pauses in the login it’s always because ssh hangs whenever it checks for GSSAPI. Apparently GSSAPI stands for Generic Security Service Application Program Interface.

So, the ssh debug info generally scrolls by pretty swiftly until it gets to:

debug1: Next authentication method: gssapi-with-mic

Then ssh just hangs for a while before reporting something along the lines of

debug1: Unspecified GSS failure

The fix is to simple disable GSSAPI as an ssh authentication option. This is done by editing the ssh server configuration file:

/etc/ssh/sshd_config

Search for the line:

GSSAPIAuthentication yes

and change yes to no; i.e.:

GSSAPIAuthentication no

After applying and saving the above change you’ll need to restart the sshd daemon. On most systems this can be done by typing:

service sshd restart

Now next time you connect to your server with ssh, it should all happen much faster.

Update – Alternative (client side work-around)
An alternative to fixing the server side, you also switch GSSAPIAuthentication off as an authentication option every time you connect. Note that this will only affect that single connection, so you’ll need to specifiy the option every time you connect.

ssh -o GSSAPIAuthentication=no root@server-ip-address


Written By

Kev