Hello,

I've got a Centos7 server setup in my Hyper-V. When i ssh into that machine it lags. After sshing into the machine, when i performs any type of action it lags. Even typing a simple cd it takes about a good minute for it show up on the screen let alone perform any type of action. This only happens when i ssh into that machine from anywhere. But when open up the machine from Hyper-v there is no lag or anything, it performs beautifully. Based on some reading online i have set the GSSAPIAuthentication no. Some forms suggest that it would clear up the issue but it hasn't. Please help.

I have RHEL7 guests on Hyper-V with no appreciable lag via ssh.

On looking at one just now in both /etc/ssh/ssh_config and /etc/ssh/sshd_config I see it set to yes:
GSSAPIAuthentication yes

Note that lines for GSSAPIAuthentication appears multiple times in the configs but is usually commented out (prepended by a pound sign [#]). It should only be uncommented once which is what I show above.

You may wish to be sure the line you're looking at is NOT commented out.

This is what i have so far for the GSSAPI options

# GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

This is what i have in the /etc/ssh/sshd_config file. This whole file is the same as in the root account and the user account that has sudo privilages.
The only thing different is that in the root account this file has AllowUsers (username1) (username2). I am assuming that AllowUsers means that those users can ssh into the machine with their AD credentials. Thanks for your reply.

Just to clarify, you only have ONE /etc/ssh/ssh(d)config. You do not have one of these files for each user.

I apologize for the miscommunication. Yes, there is only one /etc/ssh/ssh(d). I have a user that is able to login with his AD credential and that user has sudo privilages, and then ofcoruse there is the root user. I just re-read your first comment about changing the "GSSAPIAuthentication no" in both the /etc/ssh/sshd_config and /etc/ssh/ssh_config. Originally i had changed it to "GSSAPIAuthentication no" in only the /etc/ssh/sshd_config file. I have made the changes in both places now, /etc/ssh/sshd_config and /etc/ssh/ssh_config. I just ssh'ed into that machine with a testuser and there didnt seem to be any lag. In my mind, i think that changing "GSSAPIAuthentication no" in both places may have fixed the issue. I just sent out an email to the privileged user to confirm that there is no more lag. Will get back to you on his reply.

Thank you

Update.

I got a reply from the user and he states that he is still having lag on that machine while ssh'd into it. So it seems Changing the GSSAPI options in the ssh(d)_config file did not help. Anymore suggestion anyone?

If you're not having issues with a Linux users but he is with an AD user it suggests the issue may be with the AD access rather than the ssh access.

Also as noted in my earlier post we have GSSAPI option set to yes rather than no as you do. You might try reversing in both config files to see if it makes a difference.

Thanks for your reply. I have tried turning the options to Yes and no in both file but to no avail. I am not exactly sure what else it could be..Hmm..

If you're relying on AD for Linux login by the user maybe its an issue with Samba configuration on Linux?

I dont believe its a samba issue, for some reason im thinking it may have something to do with the network or DNS but i cant place it.

What's in /etc/nsswitch.conf for hosts: line?

What's in /etc/resolv.conf?

Do you use the AD domain controllers for DNS as well? (We do internally.)

In /etc/nsswitch.conf

#hosts: db files nisplus nis dns
hosts: files dns myhostname

In /etc/resolve.conf

# Generated by NetworkManager
search tang.com
nameserver XXX.XX.X.XX

and yes we use AD domain controllers for DNS.

From the Linux server can you connect to port 53 on XXX.XX.X.XX?

If you run "dig @XXX.XX.X.XX <workstation name>" does it give you the IP of the user's workstation from which he is doing his ssh to your Linux server?

If you run "dig @XXX.XX.X.XX <AD server name>" does it give you the IP of the AD server?

Do you have either of those name in /etc/hosts on the Linux server with different IPs than they have in DNS?

I hadn't noticed "myhostname" previously but see it is in my nsswitch.conf as well. On looking up its meaning I did find an article at RedHat saying it was causing issues if you didn't have package systemd-219-36.el7 or above. You might want to verify you do.
Article is at https://access.redhat.com/solutions/2766251 but requires a subscription to see.

output of #dig AD

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> AD SERVER NAME HERE
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15075
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;AD SERVER NAME HERE. IN A

;; Query time: 9 msec
;; SERVER: XXX.XX.X.XX#53(XXX.XX.X.XX)
;; WHEN: Fri Aug 04 15:19:37 EDT 2017
;; MSG SIZE rcvd: 43


Output of #dig workstation

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> CURRENT WORKING MACHINE NAME HERE
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1498
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;CURRENT WORKING MACHINE NAME HERE. IN A

;; Query time: 1 msec
;; SERVER:XXX.XX.X.XX#53(XXX.XX.X.XX)
;; WHEN: Fri Aug 04 15:23:35 EDT 2017
;; MSG SIZE rcvd: 45


In /etc/hosts, I have the following(which has the Ip adress and name of the current machine.)

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

XXX.XX.X.XX Current-machine-name-here Current-machine-name-here.Tang.com


I did a #rpm -qa | grep systemd-219-36.el7
But got nothing in return. Which means i dont have the package at all in my system. I couldnt completely read the redhat article but i wonder, if you dont have the latest or the package at all what happens? you said it would cause an issue. what type of an issue?

Thanks a bunch.

If your responses ended with "IN A" after the host names it means they did NOT resolve so that may be your problem. Are your AD server and workstation in domain tang.com? If not did you type in the fully qualified domain name (FQDN) for each (i.e. servername.domainname)?

You're use of rpm command is slightly off.

rpm -qa will show ALL RPM packages - you can run "rpm -qa |grep systemd" to see all packages with systemd in the namme.

When you know the name of the package you can just specify that:
rpm -q systemd

You're not looking to see if you have exactly systemd-219-36.el7 but rather at least that version
So if for example you ran "rpm -q systemd" and it responded with systemd-219-19.el7_2.4.x86_64 that is version 219-19 which is earlier than 219-36 so you'd want to run "yum update systemd" to get the latest package.

On my test system doing that just now installed version 219-42. After the update "rpm -q systemd" now shows:
systemd-219-42.el7.x86_64

Since the link is restricted to RedHat subscribed users I can't put its contents here. It doesn't specifically talk about the issue you are having so may not be involved and the only reason I saw it was because I'd never noticed RHEL7 added that last item to hosts: line in nsswitch.conf before.