08 October 2012

Config sshd for faster login access

Everytime I connect to my Linux servers, I notice that after I have entered the password it always take a while (about 10 to 15 seconds) before the command line cursor to apprear. This is really un-comfortable for me and maybe for you too. Many times like that, until I get upset with it, I decided to investigate to see what happen behind the sense.

To see what did happen after I have typed the password, I decide to enable verbose mode of ssh connection by using -v parametter. The info appeare is so very helpful, according to that I see openssh-server seems to use lot of authentication method beside traditional password method, something likes gssapi-with-misc, gssapi-keyex, ... The server is waiting for these modules but by default I dont use these methods and I have not config them yet, so the server have to wait for them until timed out. I need to config the sshd to disable these module for faster access.



client# ssh -v 10.254.10.30

OpenSSH_5.8p2, OpenSSL 1.0.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.254.10.30 [10.254.10.30] port 22.
debug1: Connection established.
...
debug1: Authentications that can continue: publickey,gssapi-with-mic,gssapi-keyex,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
...
debug1: Authentications that can continue: publickey,gssapi-with-mic,gssapi-keyex,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
root@10.254.10.30's password:

For my circumstance, I dont really need gssapi, keberos method yet, traditional password works fine now. So I open the config file sshd_config and disable these methods. I also turn off DNS lookup too for saving time. If not whenever you connect, the openssh-server will try query the DNS server to reverse the client ipaddress to hostname, in my case I dont really need it.

server# vim /etc/ssh/sshd_config

KerberosAuthentication no
GSSAPIAuthentication no
UseDNS no

I need to restart the service for applying the new configuration. Now I can connect to the server instantly, no more wating for those suck methods. The command line cusor appears immediatly. This time, password is the only method the server will try.

client# ssh -v 10.254.10.30

OpenSSH_5.8p2, OpenSSL 1.0.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.254.10.30 [10.254.10.30] port 22.
debug1: Connection established.
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
root@10.254.10.30's password:

This is just a small tip, but it really helpful for me to optimize my linux server speed. Something I need to remember : 
  • In most linux command, use verbose mode (-v option) for more information detail.
  • In most case, DNS reverse lookup is not really need and we can softly disable it.