Slow SSH Login

SSH login is supposed to be fast – All it needs are a key exchange to establish a secure channel and then an authentication process, which are both trivial tasks to modern computers. However, as it often happens, a simple login might take no less than 15 seconds.

I ran into this problem recently and had a investigation. As it turned out, there are multitude of factors that might affect the speed of the SSH login process. From the most obvious the to most inconspicuous, here are them:

  • The sshd_config file.

This is the main configuration file that controls the behavior of the ssh daemon. In this file, you want to make sure the following features are disabled:

useDNS=no

If this option is enabled, then when a client make a connection to the daemon, the daemon will do a reverse DNS lookup of the incoming IP, get its hostname, and then lookup this hostname to see whether the returned IP matches the incoming IP.

This DNS lookup is a security measure. However, in a lot of cases, this might severely slow down the login process.

GASSAPIAuthentication=no

This option allows SSH to work with Kerberos – If you already have a valid token, then you don’t enter your password anymore. This might be useful in large corporation network, you don’t need most of the times.

UsePAM=no

This option enables pluggable authentication module in SSHD.  PAM is indeed a powerful framework. The only problem is, it has so much potential that it has already accumulated so much functionality in the years that its configuration can be quite confusing, and some total unrelated problem in the system might have a surprising effect on other programs using PAM. So I’d recommend you disable it.

  • PAM configuration

Then, even if you have disabled PAM in SSHD, you could still run into PAM issues during login. To be more specific, there is one PAM module, pam_systemd.so, might slow down the process. Depending on your distribution, this is configured in different files. On Ubuntu for example, the file is:

/etc/pam.d/common-session

If you are using CentOS, the file is:

/etc/pam.d/password-auth

You’ll want to comment out the line:

optional pam_systemd.so

That’s basically it. It is actually quite amazing that a simple SSH login can be affected by so many different things, but hey, that is the way it works.