# SSH slow login



## xy16644 (Dec 29, 2013)

I've just set[ ]up SSH on my new server but I am using a new OpenPGP v2 smartcard in a USB Gemalto stick. I've generated a 4096 bit length key that I use for authenticating with SSH. I have added my public key to the authorized_keys file and I am able to login no problem.

The only issue is, it takes about 5 seconds to login once I have typed in my username and PIN in. On my older server I have a 1024 bit length key (also on a OpenPGP smartcard) and it logs in pretty much instantly (there*'*s never any delay). 

I have compared both servers' /etc/ssh/sshd_config files and they are the same (with some small exceptions). Both servers are using the same DNS and I have tried turning off 
	
	



```
UseDNS no
```

But this made no difference after restarting the SSH service. Is there anything I am missing? I know a 4096 bit key is much longer than a 1024 bit key but surely it*'*s not _that_ much slower? On one blog the author said the difference in speed between a 2048 bit and 4096 bit key was 0.3 seconds.

Am I missing something obvious here?? I'm not running any firewall on the server at all.


----------



## wblock@ (Dec 29, 2013)

Create a new, temporary 1024-bit key and try that.  Odds are that it will do the same thing.  DNS is still a likely cause.  Compare /etc/hosts between the two, for a start.


----------



## xy16644 (Dec 29, 2013)

I did some more testing and if I use my 1024 bit key from my old server on the new server it logs in instantly (which tells me it isn't DNS). As soon as I switch to the 4096 bit key it takes three seconds to log in (I timed it). 

So the _only_ difference is the key length (1024 bits vs 4096 bits). I've checked the /etc/hosts file.

Could it just be that the 4096 bits key is that much stronger so it takes longer to log in with?


----------



## wblock@ (Dec 29, 2013)

It should not be that different.  I'd try `ssh -vvv`, and if that did not show where the pause happened, set LogLevel to DEBUG3 in /etc/ssh/sshd_config and compare the entries for the 1024- and 4096-bit keys.


----------



## xy16644 (Dec 29, 2013)

I set LogLevel to DEBUG3 in /etc/ssh/sshd_config and this is what the log file had to say:

```
Dec 29 20:23:56 mail sshd[1671]: Failed publickey for usertest from 192.168.0.10 port 51945 ssh2: RSA 8a:e1:6c:b3:6d:f6:32:a1
Dec 29 20:23:56 mail sshd[1671]: Postponed publickey for usertest from 192.168.0.10 port 51945 ssh2 [preauth]
Dec 29 20:23:59 mail sshd[1671]: Accepted publickey for usertest from 192.168.0.10 port 51945 ssh2: RSA 41:85:81:22:23:8e
```

It looks like it is trying to use my "sign key" (RSA 8a:e1:6c:b3:6d:f6:32:a1) on the OpenPGP card before trying the "authentication key" (RSA 41:85:81:22:23:8e). Is there a way to prioritise it so that the authentication key is tried first?

On my other OpenPGP card the Auth key is listed first which is why its logging in instantly!


----------

