VanDyke Software Forums

VanDyke Software Forums (
-   SecureCRT on the Mac (
-   -   FAQ: What's causing delay/hang/timeout when I attempt SSH2 connections? (

jdev 10-17-2018 01:12 PM

FAQ: What's causing delay/hang/timeout when I attempt SSH2 connections?
2 Attachment(s)
If it seems your SSH2 connection attempts are hanging, taking a really long time, or timing out completely, it could be that SecureCRT is configured to attempt GSSAPI authentication or Kerberos key exchange in an environment where GSSAPI/Kerberos is not possible between your machine and the SSH2 host you're trying to reach.

To troubleshoot most connection issues, turn on Trace Options and try to establish the SSH connection again. Not familiar with Trace Options? File > Trace Options. You can view the Trace Options Debug Logging video for info about how to create a debug/troubleshooting log:

If your Trace Options output includes anything resembling the following pattern, it's likely that the delay/hang/timeouts are being caused by your SecureCRT configuration:

[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos] SPN : host@<host_you_are_trying_to_reach>
[LOCAL] : GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.

The above pattern may likely be repeated for each GSS/Kerberos provider available on your system, which would explain the delays/timeouts that you are seeing when SecureCRT is attempting to establish a connection to the SSH server.

To resolve the problem, you can simply disable all GSSAPI and Kerberos related "Authentication" and "Key Exchange" methods in the SSH2 category of your Session Options as shown in the graphics below.



You can employ the power of editing the Default session to make these changes to all of your existing and future sessions. Here are some links to a tip and a video that provide more details about using the Default session to make mass changes to multiple sessions:
Note: In order for a "change" to be applied to all other sessions, the Default session's option/field you're targeting must actually be modified/different from its current value. This means that if the Authentication and Key Exchange fields in your Default session are *already* set how you want them (with GSSAPI auth and all the Kerberos kex methods disabled), you must first change the Default session's Auth and Kex methods to enable one or more of them in the Authentication and Key Exchange sections (and apply that "change" to just the Default session) and then edit the Default session again to set the GSSAPI Authentication and Kerberos-related Key Exchange entries so they're disabled, (and apply that "change" to ALL of your existing sessions).

All times are GMT -6. The time now is 10:54 PM.