Certain unused and/or sub-optimal configuration options can be turned off to dramatically speed up SSH connections.
First up, we should measure the slowness. We can easily do this by running a single-shot ssh command that runs instantaneously on the remote machine and exits:
$ time ssh -l root <my server> uname -r
3.10.0-327.36.3.el7.x86_64
real 0m15.577s
user 0m0.016s
sys 0m0.000s
We can try to find out which operation is taking time by running the ssh command in debug mode:
$ ssh -l root -v <my server>
This produces a lot of output, and in my case, hangs for a long time at this message:
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
We’re not using Kerberos and GSSAPI authentication on our servers, so I will simply disable it. On the remote machine, edit the sshd configuration file (/etc/ssh/sshd_config on CentOS) and change
GSSAPIAuthentication yes
to
GSSAPIAuthentication no
Then, reload sshd:
# systemctl reload sshd
Now, the “Unspecified GSS failure” messages disappear but the connection still hangs for a bit and takes the same amount of time to finally give me a shell on the remote machine.
Next, we check a well-known culprit in most problems that slow down network connections: DNS Lookups. Or, reverse DNS lookups, to be more accurate.
Let us check the sshd config file for the UseDNS parameter:
# grep UseDNS /etc/ssh/sshd_config
UseDNS yes
Change it to no
# grep UseDNS /etc/ssh/sshd_config
UseDNS no
and reload sshd and try to connect again:
$ time ssh -l root <my server> uname -r
3.10.0-327.36.3.el7.x86_64
real 0m0.323s
user 0m0.008s
sys 0m0.008s
And that’s it. That single change has reduced the login time from more than 15 seconds to under half a second.
======================================================================
