A particular box at $work had been slow to SSH to for a while, and I finally wanted to spend the time to find out why.
Running ssh -v thatmachine showed that it was hanging whilst attempting to authenticate with GSSAPI, with the slow section looking like:
debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_1000' not found debug1: Unspecified GSS failure. Minor code may provide more information debug1: Next authentication method: publickey debug1: Offering public key: /home/davidp/.ssh/id_rsa # authentication by public key then proceeded quickly
SSHing to the machine by IP instead, i.e. ssh -v 10.1.1.192, produced slightly different output:
debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied debug1: Next authentication method: publickey # authentication by public key then succeeded quickly
It’s clear that it’s trying to authenticate using GSS-API (Kerberos), failing, then moving on to public key auth.
The fix is simple – disable attempts to use GSS-API by adding the following to ~/.ssh/config:
GSSAPIAuthentication no
Before adding that:
[davidp@columbia:~]$ time ssh 10.1.1.192 touch /dev/null | grep real real 0m15.512s
After adding it:
[davidp@columbia:~]$ time ssh 10.1.1.192 touch /dev/null | grep real real 0m0.611s
Problem solved.
Thanks a lot this save me lot of time lol.
Thanks!
This helped me out.
Thank you for taking the trouble to blog this – the old “Google the error” trick brung me here.
Thank you! This really helped!
works.. thanks
I was searching for how to disable the GSSAPI! Thank you very much!
Thanks, this was very helpful for Ubuntu 11.10. ~/.ssh/config did not exist on U11.10, but I created it and it solved the problem. Thanks!
This will happen whenever the server cannot do a reverse dns lookup on the IP address of the client. Adding the client IP’s to the local hosts table on the ssh server host will also avoid the delay.
great! glad i found this. thanks for saving me hours more of searching (centos 6.4)!
I had to create ~/.ssh/config as well, and it worked very well.
I’ve never dealt with GSSAPI before, and I’m very curious as to what, exactly, was causing it to hang. It doesn’t seem to affect any other Linux users in my company’s network, so it must be something that I’ve configured on my machine. Tried ssh -vvv, but it doesn’t give me any helpful information, except for “Cannot determine realm for numeric host address”. I’ll keep more digging, but just wanted to see if anyone else out there knows more…
Regardless, thanks for the tip!
Thanks!! It works!
Thanks .. it worked .. for ubuntu users : the ssh config file is located@ /etc/ssh/ssh_config
Thanks, activated change with service sshd restart
Nice tip!
Huh… Nice tip
For Ubuntu/mint combination you can uncomment this line in
/etc/ssh/ssh_config
Also, config file doesn’t exist in .ssh dir so you can create it yourself