I have a laptop and desktop “server” on a local network both running Ubuntu 7.10. Today, I decided to get an SSH server running on both of them. To my dismay, it took SSH 15-20 seconds to prompt me for a password. After the delay, I didn’t run into any further speed issues. The problem ended up being with the way the server machine was looking up the reverse DNS of the client machine.
The OpenSSH server on the server attempts to look up the reverse DNS of the connecting machine. In my case, as would be the case in most local networks I suspect, the client machine does not have a host name (i.e. reverse DNS) set up. The quick solution is to edit /etc/nsswitch.conf on the server machine…
...
# Change this line
# hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
# To this (removed mdns4)
hosts: files mdns4_minimal [NOTFOUND=return] dns
...
Explanation
nsswitch.conf defines how dns host lookups are performed. The system will try every method in turn until it finds one that succeeds or until it runs out of options. All of the lookup options in the default configuration are lightning quick except for mdns4. I’m not exactly sure what mdns4 is or in what situations I would absolutely need it enabled. Wikipedia says it’s some sort of zero configuration network protocol that spawned from Apple. Great. I’m not using it, so I’m ok with removing it from the configuration. If for whatever reason you are not OK with ditching it, I see two other options for you.
Configure sshd to not do any rDNS lookups
On the server machine, do the following
sudo echo "UseDNS no" >> /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart
The OpenSSH daemon will now not attempt any reverse DNS lookups when a client connects. If you are using host names to authorize connections to the server, this is obviously not an option for you.
Add your client machine’s ip to the hosts file on the server machine
On the server machine, do the following
sudo echo "[your_client_ip] [your_client_hostname]" >> /etc/hosts
This is, of course, dependent on your client machine having a static IP. If the IP of the client changes, the server won’t have a host name to go on again, and you’ll be back to slow SSH connections.
Debugging SSH
To figure out the above I had to do a lot of sifting through debug logs. For reference, here is how to set up verbose logging for SSH on both the client and server side.
Server Side SSH Debug Logs
/etc/ssh/sshd_config
# Logging
SyslogFacility AUTH
LogLevel DEBUG3 # DEBUG3 is the most verbose, default is INFO
Then do tail -f /var/log/auth.log
Client Side SSH Debug
ssh -vvv [normal connection string] will output big logs on the client side.
File Versions
$ ssh -V
OpenSSH_4.6p1 Debian-5build1, OpenSSL 0.9.8e 23 Feb 2007
$ dpkg-query --search nsswitch.conf
manpages: /usr/share/man/man5/nsswitch.conf.5.gz
base-files: /usr/share/base-files/nsswitch.conf
$ dpkg-query --show base-files
base-files 4.0.0ubuntu5
$ dpkg-query --search /usr/sbin/sshd
openssh-server: /usr/sbin/sshd
$ dpkg-query --show openssh-server
openssh-server 1:4.6p1-5ubuntu0.1
Sources:
Ubuntu Bug report on slow SSH blaming it on GSSAPIAuthentication setting on client
Another Bug report about how mdns4 in nsswitch is really slow