In another post I wrote before, slow SSH login issue — after you enter the username, it takes some time (a minute or a few) to show the password prompt, could be due to the wrong DNS configuration.

And there is a configuration option UseDNS for sshd and by default it’s enabled (value yes) which means sshd will do a lookup against DNS for the remote host (the ssh client) to get its IP and see if it matches the ssh client’s IP you are connecting from.

I ran into this issue again recently on a customer site. The first thought I had was to check the DNS configuration on the SSH server itself and it looked good.

Then I would like to see what was exactly happening during this login process, so on the client I used “-vvv” to get more information:

ssh -vvv joe@remote_host
.
.
.
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50

Clearly I could see it hung after the message “SSH2_MSG_SERVICE_ACCEPT received”. On the server side, I put sshd in debug by changing LogLevel from INFO to DEBUG3 in the configuration file /etc/ssh/sshd_config and restarted the service sshd. On a redhat Linux server, the log messages are put into the file /var/log/secure. From the log I could see:

Nov 11 12:25:10 joetest sshd[9397]: debug3: Trying to reverse map address 10.22.109.20.

and a gap of timestamp of the next message after. It indicated it was hanging with DNS lookup. So in this case, the DNS was configured properly, but the ssh client doesn’t exist on the DNS server.

To solve this issue, we could either do

1. adding the client entry into DNS server;
2. or adding the client entry into local host file /etc/hosts and make sure host resolution using files first in /etc/nsswitch.conf on the ssh server;
3. or disable DNS lookup on the ssh server — changing UseDNS to no in /etc/ssh/sshd_config. Restarting sshd needed.

• Linux