Docs / Troubleshooting / Troubleshoot Slow SSH Connections

Troubleshoot Slow SSH Connections

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 401 views · 3 min read

Slow SSH connections are frustrating — you type the command, wait 10-30 seconds, then suddenly the login prompt appears. The delay is almost always caused by reverse DNS lookups or authentication negotiation, not network latency. This guide covers fixing the most common causes of slow SSH.

Diagnose Where the Delay Is

# Connect with verbose output to see where it hangs
ssh -vvv user@server 2>&1 | tee /tmp/ssh-debug.log

# Look for long pauses between lines
# Common slow points:
# "debug1: SSH2_MSG_SERVICE_ACCEPT received" ... long pause ...
# → DNS lookup delay (server looking up your IP)
#
# "debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password"
# → GSSAPI authentication attempt (trying Kerberos before password)
#
# "debug1: Offering public key: /home/user/.ssh/id_rsa" ... long pause ...
# → Agent forwarding or key verification delay

# Time the connection
time ssh user@server exit

Fix 1: Disable DNS Lookup on Server (Most Common)

# The SSH server does a reverse DNS lookup on your IP by default
# If DNS is slow, this adds 10-30 seconds

# Edit SSH server config
sudo vim /etc/ssh/sshd_config

# Add or change:
UseDNS no

# Restart SSH
sudo systemctl restart sshd

# This is safe — DNS lookups in SSH are mainly for logging pretty hostnames

Fix 2: Disable GSSAPI Authentication

# GSSAPI (Kerberos) authentication attempts take time when Kerberos isn't configured

# Server-side fix (/etc/ssh/sshd_config):
GSSAPIAuthentication no

# Client-side fix (~/.ssh/config):
Host *
    GSSAPIAuthentication no

# Restart SSH server after changes
sudo systemctl restart sshd

Fix 3: Disable Reverse DNS on the Client

# Client-side SSH config
# ~/.ssh/config
Host *
    GSSAPIAuthentication no
    AddressFamily inet        # Force IPv4 (avoids IPv6 timeout)
    ServerAliveInterval 60    # Keep connection alive
    ServerAliveCountMax 3
    ConnectTimeout 10

Fix 4: systemd-logind Delay

# On some systems, systemd-logind causes delays during SSH login
# Check if logind is the problem
journalctl -u systemd-logind --since "5 minutes ago"

# If you see "New session" messages taking long:
# Fix: Restart systemd-logind
sudo systemctl restart systemd-logind

# Or check if D-Bus is responsive
dbus-send --system --print-reply --dest=org.freedesktop.login1 \
    /org/freedesktop/login1 org.freedesktop.login1.Manager.ListSessions

Fix 5: PAM Module Delays

# Some PAM modules add delays
# Check PAM configuration for SSH
cat /etc/pam.d/sshd

# Common slow modules:
# pam_motd.so — generating MOTD can be slow
# pam_mail.so — checking for mail
# pam_env.so — reading environment files
# pam_systemd.so — registering session

# Check which PAM modules are called
strace -e trace=openat -p $(pgrep -f 'sshd.*listener') 2>&1 | head -50

Quick Fix Summary

# All-in-one server-side fix
sudo sed -i 's/^#*UseDNS.*/UseDNS no/' /etc/ssh/sshd_config
sudo sed -i 's/^#*GSSAPIAuthentication.*/GSSAPIAuthentication no/' /etc/ssh/sshd_config
echo "UseDNS no" | sudo tee -a /etc/ssh/sshd_config 2>/dev/null
echo "GSSAPIAuthentication no" | sudo tee -a /etc/ssh/sshd_config 2>/dev/null
sudo systemctl restart sshd

Best Practices

  • Set UseDNS no on every server — it's the #1 cause of slow SSH
  • Disable GSSAPI unless you're actually using Kerberos authentication
  • Use ssh -vvv to pinpoint exactly where the connection stalls
  • Force IPv4 with AddressFamily inet if IPv6 isn't configured
  • Use SSH multiplexing for multiple connections to the same server

Was this article helpful?

Related Articles