10.7: Removing a Delay in SSH commands to some hosts

Oct 25, '11 07:30:00AM

Contributed by: easco

Using SSH to connect to some servers can introduce long delays from the time the command is issued until the connection with the server is established. This hint describes two potential problems and offers a solution.

In connecting to a local server, my ssh command would take about 20 seconds to complete. Non-Macintosh clients would not see this delay. After searching for the web and slogging through a number of posts that suggested how to change the server to fix ssh delays, I pieced together enough information to find out how to change my client configuration to solve the problem.

The first, and largest cause of delays, was my client and the server working to authenticate me using 'GSSAPI' (Kerberos) authentication. That seemed to be a good 15-18 seconds of the delay. I fixed this problem by adding a configuration file for my user that disabled GSSAPI authentication for the host. The file I added is ~/.ssh/config and I created it to read:

Host -host-name-here-
 GSSAPIAuthentication no
 GSSAPIKeyExchange no
Where -host-name-here- is replaced with the name of the host so that it matches whatever you type into the ssh command. If you want to disable GSSAPIAuthentication for all hosts you can use an asterisk '*' as a wildcard host name.

That took the delay down to about a second or two. Based on another hint found in this forum, I discovered that the Mac also tries to negotiate with the server through both IPv4 and IPv6 channels. This server doesn't do IPv6 so I changed my ssh config to read:
Host -host-name-here-
 GSSAPIAuthentication no
 GSSAPIKeyExchange no
 AddressFamily inet
This forces ssh to use only IPv4 and made my ssh connections almost instantaneous.

[crarko adds: I haven't tested this one.]

Comments (11)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20111020115417965