When establishing SSH connections to Ubuntu 16.04 servers (previously observed on 12.04 as well), the session hangs for 15-25 seconds after displaying:
debug1: pledge: network
This occurs even on localhost connections, ruling out network latency. Authentication completes successfully before this point, as shown in debug logs:
debug1: Authentication succeeded (publickey).
Authenticated to myserver.mydomain.com ([xx.xx.xx.xx]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
ssh -o GSSAPIAuthentication=no user@host- Password authentication instead of keys
- Setting
UsePrivilegeSeparation noin/etc/ssh/sshd_config
The "pledge: network" message relates to OpenBSD's security mechanism (adopted by OpenSSH) that restricts system calls after certain operations. On Linux systems using pledge emulation, this can trigger unexpected delays due to:
1. DNS resolution timeouts
2. Systemd socket activation
3. seccomp filter initialization
4. ASLR (Address Space Layout Randomization) collisions
Solution 1: Disable DNS resolution on the server
# /etc/ssh/sshd_config
UseDNS no
Solution 2: Optimize systemd socket activation
sudo systemctl edit ssh.socket
[Socket]
Accept=yes
Solution 3: Adjust Linux kernel parameters
# /etc/sysctl.conf
net.ipv4.tcp_fastopen = 3
kernel.randomize_va_space = 1
To pinpoint the exact bottleneck, try:
strace -f -o ssh.strace -tt ssh -vvv localhost
perf trace -e 'net:*' ssh localhost
Look for gaps in the timestamp output where the process might be waiting on:
- getaddrinfo() calls
- poll()/select() system calls
- futex() operations
Create a systemd drop-in file to modify SSH startup:
sudo mkdir -p /etc/systemd/system/ssh.service.d
sudo tee /etc/systemd/system/ssh.service.d/10-optimize.conf <<EOF
[Service]
CPUAffinity=0
IOAccounting=yes
MemoryAccounting=yes
EOF
sudo systemctl daemon-reload
When connecting to my Ubuntu 16.04 server, SSH authentication completes successfully but then hangs for 15-25 seconds at the pledge: network message before establishing the session. This occurs even with localhost connections (ssh localhost), ruling out network issues.
debug1: Authentication succeeded (publickey).
Authenticated to myserver.mydomain.com ([xx.xx.xx.xx]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
[...20 second delay...]
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
The pledge system call is a security feature in OpenBSD that restricts process capabilities. On Linux (through Ubuntu's patched OpenSSH), this implements similar sandboxing. The delay suggests the system is struggling with:
- DNS resolution attempts
- PAM module initialization
- Privilege separation mechanisms
- TCP/IP stack interactions
Common suggestions that didn't resolve our case:
# Doesn't help:
ssh -o GSSAPIAuthentication=no user@host
# In sshd_config:
UsePrivilegeSeparation no # Security downgrade, still slow
Add these lines to /etc/ssh/sshd_config:
UseDNS no
AddressFamily inet # Force IPv4 only if you don't need IPv6
Then restart sshd:
sudo systemctl restart sshd
# Or for older systems:
sudo service ssh restart
For comprehensive improvement, consider these secondary adjustments:
# /etc/ssh/sshd_config
LoginGraceTime 30s
MaxAuthTries 3
MaxSessions 10
ClientAliveInterval 300
Test with verbose output to confirm the delay is gone:
ssh -vvv user@localhost | grep -A 5 "pledge: network"
The connection should now proceed immediately after the pledge message.
For testing purposes, try this minimal config (backup original first):
# /etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
UseDNS no