The slowness I'm having is that the FIRST connection is immediate, but SUBSEQUENT connections time out negotiating IPv6 before proceeding.
I prefer Scott's method of limiting the edits to my local ~/.ssh/config, but you need to edit the global config file if you want to add "UseDNS no". Thanks for posting this and excellent comments everybody. you're better off paying attention to the host-key-mismatch error messages (and those are such a mess typically that everyone tends to ignore those anyway - which is why gssapikeyexchange would be slick - but sysadmins continue to think that kerberos is too hard to deploy.) dns is lousy security and often not maintained well, and the crypto in ssh does not rely on it. Means you probably aren't using kerberos for ssh logins or you'd see the host tickets in the output of that command.Īnd there's also little security risk from 'UseDNS no' as well. Klist: krb5_cc_get_principal: No credentials cache file found If there's any question ssh to a host at work and then in another window run this: You'd also know because your mac laptop would need to be joined to a domain/realm or you would need to auth to the domain to get a TGT in order to authenticate the hosts. If you happen to work someplace that does decent IT and has very strong kerberos and security knowledge (say, Morgan Stanley) then you would not want to do this. And its relatively new enough that even at the two kerberos infrastructures that I've maintained I didn't have servers that supported it, so I couldn't get rid of ssh host key management.Īnyway, ask your IT guys at work about it, and in the 99% case when they do dog-tilt-head and look at you like you're speaking a foreign language to them, you can safely turn this off with precisely zero impact to security. The only way that you might want this is if your work actually has the servers that you are ssh'ing to joined to a domain and setup properly to do key exchange.
That is typically more of a PITA than most IT admins are willing to go through so nearly everywhere you can turn off the GSSAPI-related options in your ssh_config and it'll be fine. It avoids all the known_hosts bother, but requires that you setup either kerberos or active directory and then get the linux boxes that you are trying to ssh into joined to the kerberos real / active directory domain. GSSAPIKeyExchange uses the GSSAPI library to do kerberos authentication of hosts instead of using ssh host keys.