SSH and GSSAPIAuthentication

Reading the mail lists and forums you see quite a few people seem to be getting "slow" SSH connections when this option is turned on.

One way to "speed" up the connection is to turn it off, like so:

GSSAPIAuthentication no

in your .ssh/config file or on the command line like so:

ssh -o GSSAPIAuthentication=no


But what it is and what does it do?

GSSAPI stands for Generic Security Services API.

Just like its name suggests is a API that provides a standard interface for communicating with different protocols.

In SSH's case its designed to talk to Kerberos. But in case of Windows it can be made to talk to NTLM.

So what actually happens when SSH communication is initiated?

If you debug the connection you'll see something like this:

debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password

The server offers 'gssapi-keyex' as a possible authentication and the client tries to authenticate against it.

With the options listed above we just turn GSSAPI based authentication off on the client side. But a better solution, in case that you are not using this authentication at all, is to turn it off on the server side in /etc/ssh/sshd_config, likes so:

GSSAPIAuthentication no

Since SSH is almost universal way to connect to remote hosts/devices nowadays,
to insure a consistent authentication using GSSAPI, its very own RFC has been defined: RFC4462.