Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
herzogk
Staff & Editor
Staff & Editor

Created on ‎05-28-2025 07:31 AM Edited on ‎05-28-2025 11:52 PM By Community Manager

Article Id 393996

Troubleshooting Tip: SSH admin sessions slow login

Description This article describes an issue with slow login behavior on administrator SSH connections.
Scope FortiOS v7.2.11, v7.4.7, and v7.6.1.
Solution

For smaller sized FortiGate Units such as 40F, 60F, and 100F, after upgrading to firmware FortiOS versions v7.2.11, v7.4.7, and v7.6.1, a delay may be noticed when logging in as an administrator via SSH. This is caused by a change in the backend of the SSH daemon.

 

It is because of the enhancement of the password hashing scheme from SHA256 to PBKDF2: Enhanced administrator password security 7.6.1

It requires more CPU cycles to process the Hash. This hashing operation may take significantly longer than earlier firmware versions, depending on the FortiGate's CPU resources.

 

The average delay noticed for the SSH admin login is roughly 7 - 10 seconds.

 

This can be observed in the SSH daemon debug. For example:

 

2025-05-25 12:32:56 SSH: userauth_finish: failure partial=0 next methods="public key,password"
2025-05-25 12:33:16 SSH: Received SSH2_MSG_IGNORE
2025-05-25 12:33:16 SSH: userauth-request for user test service ssh-connection method password
2025-05-25 12:33:16 SSH: attempt 1 failures 0
2025-05-25 12:33:16 SSH: input_userauth_request: try method password          <--- Start of delay.
2025-05-25 12:33:21 SSH: server_input_channel_req: channel 0 request window-change reply 0 
2025-05-25 12:33:21 SSH: session_by_channel: session 0 channel 0
2025-05-25 12:33:21 SSH: session_input_channel_req: session 0 req window-change
2025-05-25 12:33:23 SSH: Accepted password for fortinet from 1.2.3.4 port 56789 ssh2 <--- End of 7        second delay.

 

This has been corrected in firmware release 7.4.8 and will be corrected in future release v7.6.4. After installing the corrected firmware, the issue should be resolved. Example output will look as follows, with no delay in timestamps:

 

2025-05-28 05:22:38 SSH: Unrecognized authentication method name: none
2025-05-28 05:22:38 SSH: userauth_finish: failure partial=0 next methods="publickey,password"
2025-05-28 05:22:38 SSH: userauth-request for user fortinet service ssh-connection method password
2025-05-28 05:22:38 SSH: attempt 1 failures 0
2025-05-28 05:22:38 SSH: input_userauth_request: try method password
2025-05-28 05:22:39 SSH: Accepted password for fortinet from 1.2.3.4 port 56789 ssh2

 

Note:
It has already been confirmed that this fix will not be released to the v7.2 branch.
413
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.