b l o g _ m a x i m u m

SSH with Kerberos? No!

Monday May 26, 2008

In the last few days, my SSH connection from home to office is very very slow. However, when it's connected, the speed is not so bad. After some -vvv debug, it seems the SSH client waste a lot of time before showing a line "Cannot resolve network address for KDC in requested realm". What? SSH is using Kerberos? That's bad.

Well I have done some Kerberos programming jobs recently on this computer, but I never meant to tell SSH to use it. Finally I add these 2 lines into ~/.ssh/config, and now it's much faster. 

Host *
GSSAPIKeyExchange no

[2] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 06:31PM May 26, 2008 by wangwj in General
Tags:
Comments:

Why do you say that SSH automatically attempting to use Kerberos keys via GSSAPI is a bad thing ?

This will only happen if you have a Keberos configuration setup. If you mean it is bad because the KDC you had configured couldn't be reached then that isn't the fault of ssh.

Posted by Darren Moffat on May 27, 2008 at 09:14 PM CST #

Well, I just don't expect it should do that. My krb5.conf doesn't have a default realm, and I don't have a TGT cache. And, it shouldn't consume so long time (>40s).

Posted by Weijun on May 27, 2008 at 09:36 PM CST #

Post a Comment:
  • HTML Syntax: NOT allowed