Tags

There have been numerous problems that have slowed down SSH connections over the years. All are resolvable today – and could be fixed in modern operating systems, but typically aren’t. Most or all of these resolutions are related to reverse IP lookups: that is, given an IP address find out what DNS name is associated with it. These fixes turn off reverse IP lookups for the SSH client and SSH server.

The most often suggested fix is to add the following to your server configuration (sshd_config):

UseDNS no

This prevents the SSH server from making a reverse DNS lookup – that is, looking up the IP address and finding what DNS name is associated with that IP. Since the reverse lookup often does not respond, then there is a time-out involved and this is what generates the normal delay seen in SSH connections.

However, there are other things as well. In some distributions (such as Debian and Ubuntu) the system is set up to use Avahi. When SSH attempts to connect to a host, it uses Avahi as part of the authentication process. When the system uses mDNS (part of Avahi) to resolve an IP address, this resolves in a large delay until the system comes back.

Fixing this is simple as well: add this line to the SSH client:

GSSAPIAuthentication no

This authentication method triggers Avahi; by disabling GSSAPIAuthentication this skips Avahi altogether. It is also possible to rewrite the /etc/nsswitch.conf file to do the same thing. Changing the nsswitch.conf file affects the entire system, so be sure this is really what you want.

On my Ubuntu 10.04 system, the original line in nsswitch.conf looks like this:

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

To stop using mDNS entirely, change the /etc/nsswitch.conf file hosts line to this:

hosts: files dns

Reverse IP lookups are a common source of delays for all manner of services (including PPP, Sendmail, and many others!).

Advertisements