faster ssh login

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'm using OpenSSH on Linux, connecting using OpenSSH
from other Linux machines and PuTTY from Windows.

I was experiencing some delay before the password prompt
would show up: I had to wait about 2 seconds and a half.

Then by changing a single line in /etc/sshd/sshd_config to:

UsePAM no

The password shows up in a split second.

Is this normal or is there something wrong with my system?

Sample output with a dummy user, allowed to connect
(for the sake of the example) without using a password:

With "UsePAM yes" :

[dummy ~/] 0 $ time ssh -2 true

real    0m2.472s

With "UsePAM no":

[dummy ~/] 0 $ time ssh -2 true

real    0m0.117s

I'm very satisfied now but I was wondering if
that was normal or not.

Thanks in advance,

Re: faster ssh login


I forgot to add that I started disabling some authentication
method after noticing (with ssh -v) that the system was
wasting the 2.5 seconds after those messages:

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/dummy/.ssh/id_rsa ((nil))
debug2: key: /home/dummy/.ssh/id_dsa (0x92de640)

and before this one:

debug1: Authentications that can continue:

Re: faster ssh login

Quoted text here. Click to load it

So, is it not clear which change (PAM or adjusting the
PreferredAuthentications list) made the difference?

If OpenSSH tries gssapi-with-mic, it will at the point you indicate use
the DNS to find Kerberos authentication servers (KDCs).  If your
nameservers are slow or you resolver misconfigured, that could account for
the delay.  You can check this by snooping the network for DNS traffic
looking TXT and SRV RR's with names containing "_kerberos".

  Richard Silverman

Re: faster ssh login

Quoted text here. Click to load it

Yup, I haven't been very clear: what I meant is that seeing
where it was "freezing", I decided to play with various settings
related to authentication, one by one.

And only modificating one line, from "UsePAM yes" to
"UsePAM no" made my login time drop from 2.5 seconds
to 0.1 second.

In other words, now if I do "ssh -2 -v..." I still see the

Quoted text here. Click to load it

for the only thing I have changed is "UsePAM no"

Actually the output from -vvv with both "UsePAM yes"
and "UsePAM no" are identical (besides some random
numbers)... But the password now appears nearly

Login from distant client is faster too now, so there
really is something going on with that UsePAM setting.

Re: faster ssh login

Quoted text here. Click to load it

Do you also get a log message such as the following?
authentication failure (uid=0) -> root for sshd service

If so, see

I suspect that your PAM stack is configured to delay on fail and that
your sshd_config has PermitEmptyPasswords enabled.

At the beginning of the authentication, the client tries the
"none" method, which must allow the login immediately if no further
authentication is required.  Unfortunately, there's really no way to ask
PAM this other than trying the authentication and seeing if it works;
unfortunately this provokes the kind of delay you're seeing.

Note that this behaviour is also dependant on the version of OpenSSH.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: faster ssh login

Thanks a lot,

everything works and makes sense now.


Quoted text here. Click to load it


I'm silly, I was looking for hints in ssh's verbose output but
not in the system log.

Quoted text here. Click to load it

Thanks a lot for pointing this to me.

Quoted text here. Click to load it

Either setting "UsePAM no" or "PermitEmptyPassword no"
works (in my case).

Quoted text here. Click to load it

Thanks for the explanation,

Site Timeline