SSH connection slow. Is UsePAM=no safe?

[grixm]

Every time I tried to log on to ssh on my rock-s0 with armbian, there would be a delay of like 5 seconds. I found a solution that fixes this problem. This thread is partly a PSA about this solution, and a question about whether this solution is a good idea or not.

The trick is to change UsePAM=yes , to UsePAM=no , in the /etc/ssh/sshd_config file.

But I heard some people online say this is a bad idea, but I don't understand PAM enough to know why. I am only going to use ssh in a basic password-authenticated, LAN environment. Do I really need PAM? The only side-effect I noticed is that it no longer shows the MOTD when logging in. 

[laibsch]

I don't think I can condone changing a very, very security-relevant part of your setup without fully understanding its implications.  So, it's good you ask here.  I can't answer it off the top of my hat, but maybe somebody else can chime in.  I don't think I would bother for the sake of 5 seconds.  Are you logging in and out all the time?

 

By the way, PAM is short for pluggable authentication module, so you are disabling an authentication mechanism.

[grixm]

Thanks for the reply @laibsch . I looked for alternative solutions and it seems to be possible to only disable certain parts of PAM instead of the whole thing.

 

Specifically it seems like the armbian dynamic MOTD is the biggest part of the problem. I opened /etc/pam.d/sshd , and commented out these lines to disable the motd:

session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

And rebooted.
This drastically improved the speed, from 5 seconds to around 2-3 seconds on first login and 1 second on subsequent logins. Still pretty bad though, what is there that needs to take one whole second or more to do to open a simple shell connection?

 

 

[ccs1664]

I have a ssh connection with my TV BOX (it is a AMLOGIC with S912), in my etc/ssh/sshd_config
I have "UsePAM yes" and without any delay for connection, and probably it was not the problem  of your delay in the start connection.
In addition, I installed a vnc service to work remotely using the graphical interface.  
Either ssh  and vnc Viewer (xtightvncviewer in my Debian Desktop) run pretty well. Please, check your basic network services,
as well, fix  the IP in the TV BOX.  In my case I did  some adjusts such:

cat /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 192.168.15.22
    netmask 255.255.255.0
    gateway 192.168.15.1
    dns-nameservers 8.8.8.8 1.1.1.1

There are some network services that can be impling in your delay by ssh (it is robust, old and fast application of Linux)

I hope to help you too.