RHEL7 slow ssh login

Latest response

RHEL7:
Symptom: 34 seconds to prompt password ssh login
Solution (my case):
- vi /etc/ssh/sshd_config
- GSSAPIAuthentication no
- service sshd restart

Other Linux versión:
vi /etc/ssh/sshd_config
UseDNS no

vi /etc/resolv.conf
options single-request-reopen ;in the last line. No network restart required

Hope to help

Responses

Hello Serafin,

Thanks for posting this.

Any time I see something on the order of "network-based logins take ≈ 30 seconds to happen", first thought is generally "DNS related". GSSAPI authentication, by itself, is generally fail-fast. That is, if your calling host isn't attempting to present a GSSAPI token (i.e., "Kerberos"), the GSSAPI routines are generally skipped. If a token is presented, then, as part of the GSSAPI process, DNS is queried for A and PTR records. If DNS isn't responsive, the connection attempt will pause for the DNS lookup attempt to time out ...which is 30 seconds, by default.

Question: are you attempting to SSH to your RHEL 7 system from a GSSAPI-enabled SSH client (e.g., PuTTY on Windows or the OpenSSH client on a AD-integrated UNIX/Linux/OSX host)?

Uncomment "UseDNS" and make it "no" works for me as champ. Change "GSSAPIAuthentication" it doesn't work. I am using rhel7 on vm (KVM) on F24. Thanks for offering the solution.

Does it help if you become root and run "systemctl restart systemd-logind" - see https://major.io/2015/07/27/very-slow-ssh-logins-on-fedora-22/

that crashes my Fedora 24 system :(

EDIT: I meant X, not the OS, sorry.

I wonder if systemctl daemon-reexec would work too/instead; in case it crashes the system.

My apologies, it crashes X, the display system, not the OS itself. I'll edit my post above.

This can also happen if you have an error in your /etc/resolv.conf file. Incorrect IP addresses for your DNS servers can cause this problem.

Thanks that helped my issues. SSH Logins were slow and su - was slow, as well. I thought clearing sssd cache and kicking sssd would help but it did not, the only thing that help was restarting the systemd-logind service.

Sorry, does not help

Debug:

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 10.118.99.109 [10.118.99.109] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug3: Incorrect RSA1 identifier debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "10.118.99.109" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:25 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16 debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 01:3f:0e:54:db:d5:7e:d5:51:ef:34:8b:5b:3f:90:95 debug3: load_hostkeys: loading entries for host "10.118.99.109" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:25 debug3: load_hostkeys: loaded 1 keys debug1: Host '10.118.99.109' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:25 debug1: ssh_ecdsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x7f981ec01220), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 1047 debug2: input_userauth_pk_ok: fp 7b:38:b9:e3:a8:f5:d8:43:50:4e:b5:a2:79:b3:f4:7d debug3: sign_and_send_pubkey: RSA 7b:38:b9:e3:a8:f5:d8:43:50:4e:b5:a2:79:b3:f4:7d debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Authenticated to 10.118.99.109 ([10.118.99.109]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug2: callback start debug2: fd 3 setting TCP_NODELAY debug3: packet_set_tos: set IP_TOS 0x10 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug1: Sending env LC_PAPER = no_NO debug2: channel 0: request env confirm 0 debug1: Sending env LC_ADDRESS = no_NO debug2: channel 0: request env confirm 0 debug1: Sending env LC_MONETARY = no_NO debug2: channel 0: request env confirm 0 debug3: Ignored env HOSTNAME debug3: Ignored env SHELL debug3: Ignored env TERM debug3: Ignored env HISTSIZE debug1: Sending env LC_NUMERIC = no_NO debug2: channel 0: request env confirm 0 debug1: Sending env LC_ALL = no_NO debug2: channel 0: request env confirm 0 debug3: Ignored env USER debug1: Sending env LC_TELEPHONE = no_NO debug2: channel 0: request env confirm 0 debug3: Ignored env LS_COLORS debug3: Ignored env SUDO_USER debug3: Ignored env SUDO_UID debug3: Ignored env TMOUT debug3: Ignored env USERNAME debug3: Ignored env PATH debug3: Ignored env MAIL debug1: Sending env LC_MESSAGES = no_NO debug2: channel 0: request env confirm 0 debug1: Sending env LC_IDENTIFICATION = no_NO debug2: channel 0: request env confirm 0 debug1: Sending env LC_COLLATE = no_NO debug2: channel 0: request env confirm 0 debug3: Ignored env PWD debug1: Sending env LANG = no_NO debug2: channel 0: request env confirm 0 debug1: Sending env LC_MEASUREMENT = no_NO debug2: channel 0: request env confirm 0 debug3: Ignored env HISTCONTROL debug3: Ignored env SHLVL debug3: Ignored env SUDO_COMMAND debug3: Ignored env HOME debug3: Ignored env LOGNAME debug1: Sending env LC_CTYPE = no_NO debug2: channel 0: request env confirm 0 debug3: Ignored env LESSOPEN debug3: Ignored env SUDO_GID debug1: Sending env LC_TIME = no_NO debug2: channel 0: request env confirm 0 debug1: Sending env LC_NAME = no_NO debug2: channel 0: request env confirm 0 debug3: Ignored env _ debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: Fri Jun 9 09:08:31 2017 from 10.118.189.40

Better if you could post back in "raw" format...

On my fedora 26 I solved this issue by editing net.ipv4.tcp_sack parameter with value 0 in the sysctl.conf file.

I've tested this solution with Red Hat 6 and 7

I've already tried all above options but still no luck for me, one server takes too long time to get shell even if there is switch to another account.

As per your statement ...

one server takes too long time to get shell even if there is switch to another account

it doesn't seems to be a problem with ssh connectivity, it looks to be something else on system side. But if you still feel that is an ssh connectivity which is slow then try doing ssh in verbose mode (ssh -vvv UserName@HostName) and also check using IP address instead of hostname while doing ssh.

useDns NO worked for me

Folks should be careful about making comments like "Disable GSSAPI it doesn't work" ... this thread is all over the place and just wanted to bring it back to state while a similar symptom may present, in this case "SSH is slow," the root cause may be significantly different for each instance. It is important to gathering information first, debug connections, and then examine the evidence to see where the slowdowns are occurring. Even if using "UseDNS no" in sshd_config works, that doesn't mean the root cause of the problem is resolved as it could be a misconfigured, down, or inaccessible resolver.

Just be careful and follow a logical troubleshooting process.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.