SSH Login Speed

Kimball Larsen kimball at kimballlarsen.com
Thu Jun 5 13:40:19 MDT 2008



On Jun 5, 2008, at 1:31 PM, Bryan Sant wrote:

> On Thu, Jun 5, 2008 at 1:20 PM, Kimball Larsen
> <kimball at kimballlarsen.com> wrote:
>> same private lan (192.168.0.x).  How would dns come into play here?
>
> I'm guessing that GSSAPI is one of the forms of authentication that
> your server has enabled.  GSSAPI does reverse DNS lookups (among other
> things).
>
>> /etc/ssh/sshd_config is identical for both machines.
>
> Strange.  My understanding is that GSSAPI is similar to PAM -- it's an
> authentication API with a modular backend.  It's possible that you
> have GSSAPI enabled as an authentication mechanism in both SSH daemon
> configs, but only one of the two servers is using a GSSAPI backend
> that actually does a reverse DNS lookup...  Or your have your client
> IP address in the /etc/hosts file on one box but not the other (or
> something like that).  Just grasping at straws :-).
>
> -Bryan


I think I found it:

Instead of mucking about with GSSAPI settings, I just added "UseDNS  
no" to /etc/ssh/sshd_config and restarted the ssh daemon.

Login now takes < 1 second on both machines (it's nearly  
instantaneous, in fact)

Interestingly, /etc/hosts is identical for both machines, as is /etc/ 
resolv.conf.

Odd that DNS was taking so long from one but not from the other.

What other problems might this indicate?

dig appears to take about the same amount of time from both machines.  
(ie, dns lookups outside of ssh handshake)


- Kimball
http://www.kimballlarsen.com



More information about the PLUG mailing list