SSH login delays of 10-30 seconds are almost always caused by reverse DNS lookups. When you connect, the SSH server tries to resolve your client IP address back to a hostname and verify it matches. If the DNS server is slow, unreachable, or the PTR record does not exist, the connection hangs until the lookup times out. Disabling this check eliminates the delay without reducing security.
Why SSH Reverse DNS Lookups Cause Delays
The UseDNS directive in sshd_config controls whether the server performs a reverse DNS lookup on the connecting client’s IP address. When set to yes (the default on older OpenSSH versions), sshd:
- Takes the client’s IP address and does a PTR lookup to get a hostname
- Does a forward lookup (A/AAAA) on that hostname to verify it resolves back to the same IP
- If the lookup fails or times out, the connection stalls for 10-30 seconds before proceeding
This check was designed to add a layer of hostname verification, but in practice most environments do not have PTR records configured for every client. On modern OpenSSH versions (8.2+), UseDNS defaults to no, but many older installations and some distributions still have it enabled.
Prerequisites
- Root or sudo access to the SSH server
- OpenSSH server installed (works on all Linux distributions, FreeBSD, macOS)
- A second terminal or console session open as a safety net
Step 1: Disable UseDNS on the SSH Server
Open the SSH server configuration file:
sudo vi /etc/ssh/sshd_configFind the UseDNS line (it may be commented out) and set it to no:
UseDNS noOn RHEL 10/9, Rocky Linux 10/9, and AlmaLinux 10/9, you can use the drop-in directory instead of editing the main config file:
echo "UseDNS no" | sudo tee /etc/ssh/sshd_config.d/99-no-dns.confValidate the configuration before restarting:
sudo sshd -tNo output means the syntax is valid. Restart the SSH service:
sudo systemctl restart sshdStep 2: Disable GSSAPI Authentication (If Still Slow)
If the delay persists after disabling UseDNS, GSSAPI authentication is the likely cause. GSSAPI (used for Kerberos) also performs DNS lookups during the authentication handshake. Unless you are in a Kerberos/Active Directory environment, disable it:
sudo vi /etc/ssh/sshd_configSet these two directives:
GSSAPIAuthentication no
GSSAPICleanupCredentials noOr via drop-in config:
printf "GSSAPIAuthentication no\nGSSAPICleanupCredentials no\n" | sudo tee /etc/ssh/sshd_config.d/99-no-gssapi.confValidate and restart:
sudo sshd -t && sudo systemctl restart sshdStep 3: Restrict to IPv4 (Optional)
If your network does not use IPv6, restricting sshd to IPv4 eliminates AAAA DNS lookups that can add additional delay:
AddressFamily inetAdd this to /etc/ssh/sshd_config and restart sshd. Use inet6 for IPv6 only, or any (default) for both.
Step 4: Client-Side Fix
If you cannot modify the server configuration, disable GSSAPI from the client side. Edit ~/.ssh/config on your local machine:
Host *
GSSAPIAuthentication noOr pass it as a one-off flag:
ssh -o GSSAPIAuthentication=no admin@serverFor full ~/.ssh/config usage, see our guide on managing SSH connections with the config file.
Step 5: Verify the Fix
Measure the SSH connection time before and after the change using verbose mode:
ssh -v admin@server 2>&1 | grep -i 'authenticated\|pledge'Or time the full connection:
time ssh admin@server 'exit'A healthy connection completes in under 2 seconds. If you were seeing 10-30 second delays before, they should now be gone.
Confirm the running sshd configuration:
$ sudo sshd -T | grep -i 'usedns\|gssapi'
usedns no
gssapiauthentication no
gssapicleanupcredentials noTroubleshooting Remaining SSH Delays
If SSH is still slow after these changes, check these additional causes:
- Broken /etc/resolv.conf – If the server’s DNS resolver points to an unreachable nameserver, many services (not just SSH) will be slow. Check with
cat /etc/resolv.confand test withdig google.com - PAM modules doing network calls – Some PAM configurations (LDAP, SSSD) perform network lookups during authentication. Check
/etc/pam.d/sshd - Slow /etc/hosts.deny or TCP wrappers – If
libwrapis enabled, it does additional hostname resolution. Check/etc/hosts.allowand/etc/hosts.deny - Network MTU issues – Especially common with VPNs. Try
ssh -o IPQoS=none admin@server - SSH banner or MOTD scripts – Slow scripts in
/etc/profile.d/or/etc/motdrun after authentication but feel like login delays
Use verbose mode to pinpoint exactly where the delay occurs:
ssh -vvv admin@server 2>&1 | lessLook for long gaps between log lines – the delay happens in the step just before the gap.
Conclusion
Setting UseDNS no and disabling GSSAPI authentication fixes the vast majority of slow SSH login issues. These changes have no impact on security for environments that do not rely on reverse DNS verification or Kerberos authentication. For additional SSH performance, consider enabling SSH multiplexing to reuse connections.
Related guides:
- SSH Commands Cheat Sheet for Linux SysAdmins
- Change SSH Port on RHEL 10 / Rocky Linux with SELinux
- Change or Remove SSH Key Passphrase on Linux
- Configure SSH Two-Factor Authentication on RHEL
- Configure SSH Server on Rocky Linux 9 / AlmaLinux 9
