For the past few years I’ve suffered this seemingly random problem when connecting to a Solaris or Mac OS X server via SSH: the connection would take forever to negotiate. It would connect, exchange keys, but then pause for up to a minute, plus or minus eternity, before proceeding with authentication. I finally took some time to figure out how to make it go away. Here’s what I did.

The problem seems to be related to forward and/or reverse DNS lookups. A large number of IP addresses given out on the networks that I connect from do not have proper name entries in the network owner’s DNS. By default, both Solaris and Mac OS X Server try to lookup DNS names before proceeding with authentication. Luckily, that behavior is easy to turn off.

On Solaris

Sun’s /etc/ssh/sshd_config file can have these options for disabling the time-wasting DNS lookup behavior:


LookupClientHostnames no
VerifyReverseMapping no


On Mac OS X Server

Apple deploys OpenSSH, and it’s /etc/sshd_config file can include this option:

UseDNS no


Update your sshd_config files with these options, or ask your sysadmin to do it for you, and you’ll be connecting instantly.

Tunneling VNC over SSH has several benefits. For one, if you are using a non-Mac version of VNC, your traffic is probably going over the network unencrypted. By default, the Mac VNC client encrypts keystrokes, including the login.

Another benefit of using VNC over SSH is that your client Mac may be behind a firewall, which you cannot reach directly. If there is some other host, like maybe the firewall itself, which you can SSH to, then you can use SSH port forwarding to “bounce” your VNC session off of that host and connect from there to your client Mac.

This procedure assumes that the remote Mac has SSH (“Remote Login” in Sharing Preferences) enabled, and you can login with it. Suppose that you want to connect to remote.host.com with VNC and your user account on that machine is remoteuser. Open Terminal, and issue the command:

Login at the prompt. Once you’ve logged in, your SSH tunnel is set up. Now simply connect to vnc://localhost:5901 (via Finder -> Go -> Connect to Server), and your VNC traffic will be automagically transported over a secure SSH tunnel to the remote host, and you should get a VNC login prompt.

If remote.host.com is behind a firewall that is preventing access via SSH, but you can access another host via SSH, and that host can access remote.host.com via SSH, then you can forward your traffic through the accessible host. Suppose that host is called dmz.host.com. Run:

Login to dmz.host.com, and now when you connect to vnc://localhost:5901, your network traffic will go through an SSH tunnel to dmz.host.com, and will be forwarded from there to remote.host.com. Isn’t SSH wonderful?