Establishing SSH connections are slow due to Kerberos and pulickey authentication

[Geofrey Rainey]

I have similar issues with reverse-DNS lookups if it can't resolve the
connecting IP to a hostname.

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of dustin at larmeir.com
Sent: Monday, 30 November 2009 11:26 p.m.
To: 'General Red Hat Linux discussion list'
Subject: RE: Establishing SSH connections are slow due to Kerberos and
pulickey authentication

Usually when I see this behavior, it is related to an DNS issue as you
have
mentioned. Have you tried disabling DNS lookups in the
/etc/ssh/ssshd_config
file to see if it goes any faster? Maybe there is a DNS resolver within
the
network that is having a communication issue with these systems - Dustin

# cat /etc/ssh/sshd_config | grep DNS
#UseDNS yes

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com]
On Behalf Of Kenneth Holter
Sent: Monday, November 30, 2009 3:53 AM
To: redhat-list at redhat.com
Subject: Establishing SSH connections are slow due to Kerberos and pulic
key
authentication

Hi.


A couple of weeks ago some of our servers started hanging for a while
when
establishing SSH sessions to other servers. From issuing "ssh
<some-server>"
to getting to the login prompt, it took about 20-30 seconds.

I've seen this behavior a couple of times before, and have found that
the
reason for the slow connections is that SSH is trying to use Kerberos,
hangs
for about 10 seconds, then tries public key authentication, hangs for
about
10 seconds, and then finally prompts for password. By setting the
"GSSAPIAuthentication" option to false, either in /etc/ssh/ssh_config,
or on
the command line, everything works perfectly.

So the problem is easy to fix, but what's puzzling me is why SSH
suddenly
decides to try kerberos and pulic key authentication, when I've done no
changes to the configuration files? I believe the problem might have
something to do with DNS, but have not figured out how these things are
related. Have anyone else seen this behavior, and knows what's
triggering
it?


Regards,
Kenneth Holter
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
==========================================================
For more information on the Television New Zealand Group, visit us
online at tvnz.co.nz 
==========================================================
CAUTION:  This e-mail and any attachment(s) contain information that
is intended to be read only by the named recipient(s).  This information
is not to be used or stored by any other person and/or organisation.