ssh connection takes forever to initiate, stuck at "pledge: network"
Connection to one of my servers using ssh takes more than 20 seconds to initiate.
This is not related to LAN or WAN conditions, since connection to itself takes the same (ssh localhost). After connection is finally establised, it is super fast to interract with the server.
Using -vvv shows that the connection is stuck after saying "pledge: network". At this point, authentication (here using key) is already done, as visible here :
...
debug1: Authentication succeeded (publickey).
Authenticated to myserver.mydomain.com ([xx.xx.xx.xx]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
(...stuck here for 15 to 25 seconds...)
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
...
Server is Ubuntu 16.04. It already happened to me in the past with another server (was Ubuntu 12.04) , nerver found the solution and the problem disapeared after a while...
sshd_config is the default one provided by Ubuntu.
So far I have tried :
- using -o GSSAPIAuthentication=no in the ssh command
- using password instead of a key
- using UsePrivilegeSeparation no instead of yes, in sshd_config
Solution 1:
This is probably an issue with D-Bus
and systemd
. If the dbus
service is restarted for some reason, you will also need to restart systemd-logind
.
You can check if this is the issue by opening the ssh daemon log (on Ubuntu it should be /var/log/auth.log
) and check if it has these lines:
sshd[2721]: pam_systemd(sshd:session): Failed to create session: Connection timed out
If yes, just restart systemd-logind
service:
systemctl restart systemd-logind
I had this same issue on CentOS 7, because the messagebus
was restarted (which is how the D-Bus
service is called on CentOS).
Solution 2:
found the answer :
changed UsePAM from yes to no in sshd_config file
After restarting the ssh service, the connection is now immediate to the server. On this server, PAM is linked to ldap, so that is probably the reason, even if here I am connecting with a user declared on the server itself, not an LDAP one.
Well, this is more a way to bypass the issue, not really a solution... I have other servers set up the same way that are not having this issue.
Hope this may help someone...
Solution 3:
This happened on two of my Fedora 25 servers, and was due to lots of failed SSH login attempts.
(The common suggestions of using GSSAPIAuthentication=no
and UseDNS=no
, or restarting systemd-logind
, made no difference.)
On these servers, /etc/pam.d/postlogin
contains:
session optional pam_lastlog.so silent noupdate showfailed
The man page for pam_lastlog
explains that the showfailed
option will:
Display number of failed login attempts and the date of the last failed attempt from btmp.
On these servers, the /var/log/btmp
files were enormous due to many failed login attempts. The btmp
log files weren't being rotated either.
I installed the logrotate
package to ensure the log files will be rotated in future. (On Fedora, the configuration that ships with logrotate
handles the rotation of /var/log/btmp
.)
I also deleted the enormous btmp
log files; as soon as I did this, connecting to the servers was instantaneous again.