Problem Overview

• Sometimes SSH login takes 5 to 30 seconds before asking for a password, even on a fast network.
• After entering credentials, the login works fine but the initial delay is frustrating.
• This delay is usually caused by GSSAPI (Kerberos) authentication, where the SSH client waits for a response from a Kerberos or DNS service that is not properly configured.
• This guide explains why this happens and shows how to fix slow SSH login safely.

Why This Happens

• By default, SSH attempts GSSAPI authentication (Kerberos-based login).
• If:

• • No Kerberos server is configured

  • DNS reverse lookup is slow

  • The client or server waits for a GSSAPI response

• SSH waits until it times out, causing login delay.
• If you are not using Kerberos, GSSAPI should be disabled.

Solution

• Run SSH in verbose mode:

  • [user@host ~]$ ssh -vvv user@server_ip

• If you see delays around these lines debug1: Next authentication method: gssapi-with-mic, GSSAPI is the issue.

• Edit the configuration file

  • [user@host ~]$ sudo vi /etc/ssh/sshd_config

• Update/add the below to lines and ensure there is no # at the beginning of these lines.

  • GSSAPIAuthentication no
    GSSAPICleanupCredentials no

• Restart the SSH service

  • [user@host ~]$ sudo systemctl restart sshd

• Test the login again, The password prompt should appear immediately

  • [user@host ~]$ ssh user@server_ip

• If you cannot modify the server side, you can disable GSSAPI on the client side. (It’s a temporary solution)

  • [user@host ~]$ ssh -o GSSAPIAuthentication=no user@server_ip

Note:

Do not disable GSSAPI if:

• You are using Kerberos authentication

• You are in an enterprise SSO environment

• SSH logins depend on AD or Kerberos tickets

For normal Linux servers, VPS, cloud instances disabling GSSAPI is safe.