Debugging SSH Authentication Delays: Understanding and Disabling GSSAPI-with-MIC for Performance Optimization


2 views

GSSAPI (Generic Security Services Application Programming Interface) is an industry-standard protocol for secure authentication, commonly used in enterprise environments with Kerberos. The -with-mic suffix specifically refers to the "Message Integrity Check" feature, which provides cryptographic verification of authentication exchanges.

The performance issues occur because:

  1. It requires additional round-trips between client and server
  2. MIC calculation adds computational overhead
  3. DNS lookups for Kerberos realms may time out
  4. Ticket-granting service (TGS) requests can be slow

To disable it in your SSH client configuration (~/.ssh/config or /etc/ssh/ssh_config):

Host *
    GSSAPIAuthentication no
    GSSAPIDelegateCredentials no

On the SSH server (/etc/ssh/sshd_config):

GSSAPIAuthentication no
UsePAM yes

Despite performance impacts, GSSAPI-with-MIC provides:

  • Single sign-on capabilities in Kerberized environments
  • Stronger security than password authentication
  • Support for credential delegation

Consider these faster alternatives:

# Public key authentication (recommended)
ssh-keygen -t ed25519
ssh-copy-id user@host

# Host-based authentication
HostBasedAuthentication yes
IgnoreRhosts no

To diagnose GSSAPI issues:

ssh -vvv user@host  # Verbose output
klist              # Check Kerberos tickets
date               # Verify time synchronization

The gssapi-with-mic authentication method combines two security components:

  • GSSAPI: A generic API for security services (RFC 2743)
  • MIC: Message Integrity Code (RFC 4462)

Unlike regular GSSAPI which performs mutual authentication, -with-mic adds an integrity check for the entire authentication exchange. This explains the additional overhead you're observing.

Typical authentication lags occur because:

1. Multiple round-trips between client and KDC
2. Ticket validation steps
3. MIC calculation overhead
4. Potential DNS lookups for realm resolution

To disable in SSH client config (~/.ssh/config):

Host *
    GSSAPIAuthentication no
    GSSAPIKeyExchange no

Server-side (/etc/ssh/sshd_config):

GSSAPIAuthentication no
GSSAPICleanupCredentials yes

Despite the overhead, keep GSSAPI-with-MIC enabled for:

  • Enterprise environments with Active Directory integration
  • Kerberized Hadoop clusters
  • Cross-realm authentication scenarios

Enable verbose logging to identify bottlenecks:

ssh -vvv user@host
# Check for lines containing:
# debug1: Authentications that can continue: gssapi-with-mic
# debug3: send packet: type 50

For Kerberos-specific debugging:

KRB5_TRACE=/dev/stderr ssh user@host

If you must use GSSAPI:

  1. Pre-generate credentials with kinit
  2. Set proper DNS timeouts in /etc/krb5.conf: 
    [libdefaults]
dns_lookup_kdc = false
udp_preference_limit = 1