ssh 登录很慢该如何解决
ssh登录很慢解决方法
使用ssh客户端(如:putty)连接Linux服务器,可能会等待10-30秒才有提示输入密码。严重影响工作效率。登录很慢,登录上去后速度正常,这种情况主要有两种可能的原因:
1.DNS反向解析问题
OpenSSH在用户登录的时候会验证IP,它根据用户的IP使用反向DNS找到主机名,再使用DNS找到IP地址,最后匹配一下登录的IP是否合法。如果客户机的IP没有域名,或者DNS服务器很慢或不通,那么登录就会很花时间。
解决办法:在目标服务器上修改sshd服务器端配置,并重启sshd
vi/etc/ssh/sshd_config UseDNSno
2.关闭ssh的gssapi认证
用ssh-vuser@server可以看到登录时有如下信息:
debug1:Nextauthenticationmethod:gssapi-with-mic debug1:UnspecifiedGSSfailure.Minorcodemayprovidemoreinformation
注:ssh-vvvuser@server可以看到更细的debug信息
解决办法:
修改sshd服务器端配置
vi/etc/ssh/ssh_config GSSAPIAuthenticationno
可以使用ssh-oGSSAPIAuthentication=nouser@server登录
GSSAPI(GenericSecurityServicesApplicationProgrammingInterface)是一套类似Kerberos5的通用网络安全系统接口。该接口是对各种不同的客户端服务器安全机制的封装,以消除安全接口的不同,降低编程难度。但该接口在目标机器无域名解析时会有问题
使用strace查看后发现,ssh在验证完key之后,进行authenticationgssapi-with-mic,此时先去连接DNS服务器,在这之后会进行其他操作
[root@192-168-3-40~]#ssh-vvvroot@192.168.3.44 OpenSSH_5.3p1,OpenSSL1.0.1e-fips11Feb2013 debug1:Readingconfigurationdata/etc/ssh/ssh_config debug1:Applyingoptionsfor* debug2:ssh_connect:needpriv0 debug1:Connectingto192.168.3.44[192.168.3.44]port22. debug1:Connectionestablished. debug1:permanently_set_uid:0/0 debug1:identityfile/root/.ssh/identitytype-1 debug1:identityfile/root/.ssh/identity-certtype-1 debug1:identityfile/root/.ssh/id_rsatype-1 debug1:identityfile/root/.ssh/id_rsa-certtype-1 debug1:identityfile/root/.ssh/id_dsatype-1 debug1:identityfile/root/.ssh/id_dsa-certtype-1 debug1:identityfile/root/.ssh/id_ecdsatype-1 debug1:identityfile/root/.ssh/id_ecdsa-certtype-1 debug1:Remoteprotocolversion2.0,remotesoftwareversionOpenSSH_5.3 debug1:match:OpenSSH_5.3patOpenSSH* debug1:Enablingcompatibilitymodeforprotocol2.0 debug1:LocalversionstringSSH-2.0-OpenSSH_5.3 debug2:fd3settingO_NONBLOCK debug1:SSH2_MSG_KEXINITsent debug3:Wrote960bytesforatotalof981 debug1:SSH2_MSG_KEXINITreceived debug2:kex_parse_kexinit:diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2:kex_parse_kexinit:ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss debug2:kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2:kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2:kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2:kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2:kex_parse_kexinit:none,zlib@openssh.com,zlib debug2:kex_parse_kexinit:none,zlib@openssh.com,zlib debug2:kex_parse_kexinit: debug2:kex_parse_kexinit: debug2:kex_parse_kexinit:first_kex_follows0 debug2:kex_parse_kexinit:reserved0 debug2:kex_parse_kexinit:diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2:kex_parse_kexinit:ssh-rsa,ssh-dss debug2:kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2:kex_parse_kexinit:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2:kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2:kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2:kex_parse_kexinit:none,zlib@openssh.com debug2:kex_parse_kexinit:none,zlib@openssh.com debug2:kex_parse_kexinit: debug2:kex_parse_kexinit: debug2:kex_parse_kexinit:first_kex_follows0 debug2:kex_parse_kexinit:reserved0 debug2:mac_setup:foundhmac-md5 debug1:kex:server->clientaes128-ctrhmac-md5none debug2:mac_setup:foundhmac-md5 debug1:kex:client->serveraes128-ctrhmac-md5none debug1:SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)sent debug1:expectingSSH2_MSG_KEX_DH_GEX_GROUP debug3:Wrote24bytesforatotalof1005 debug2:dh_gen_key:privkeybitsset:120/256 debug2:bitsset:506/1024 debug1:SSH2_MSG_KEX_DH_GEX_INITsent debug1:expectingSSH2_MSG_KEX_DH_GEX_REPLY debug3:Wrote144bytesforatotalof1149 debug3:check_host_in_hostfile:host192.168.3.44filename/root/.ssh/known_hosts debug3:check_host_in_hostfile:host192.168.3.44filename/root/.ssh/known_hosts debug3:check_host_in_hostfile:matchline8 debug1:Host'192.168.3.44'isknownandmatchestheRSAhostkey. debug1:Foundkeyin/root/.ssh/known_hosts:8 debug2:bitsset:527/1024 debug1:ssh_rsa_verify:signaturecorrect debug2:kex_derive_keys debug2:set_newkeys:mode1 debug1:SSH2_MSG_NEWKEYSsent debug1:expectingSSH2_MSG_NEWKEYS debug3:Wrote16bytesforatotalof1165 debug2:set_newkeys:mode0 debug1:SSH2_MSG_NEWKEYSreceived debug1:SSH2_MSG_SERVICE_REQUESTsent debug3:Wrote48bytesforatotalof1213 debug2:service_accept:ssh-userauth debug1:SSH2_MSG_SERVICE_ACCEPTreceived debug2:key:/root/.ssh/identity((nil)) debug2:key:/root/.ssh/id_rsa((nil)) debug2:key:/root/.ssh/id_dsa((nil)) debug2:key:/root/.ssh/id_ecdsa((nil)) debug3:Wrote64bytesforatotalof1277 debug1:Authenticationsthatcancontinue:publickey,gssapi-keyex,gssapi-with-mic,password debug3:startover,passedadifferentlistpublickey,gssapi-keyex,gssapi-with-mic,password debug3:preferredgssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3:authmethod_lookupgssapi-keyex debug3:remainingpreferred:gssapi-with-mic,publickey,keyboard-interactive,password debug3:authmethod_is_enabledgssapi-keyex debug1:Nextauthenticationmethod:gssapi-keyex debug1:NovalidKeyexchangecontext debug2:wedidnotsendapacket,disablemethod debug3:authmethod_lookupgssapi-with-mic debug3:remainingpreferred:publickey,keyboard-interactive,password debug3:authmethod_is_enabledgssapi-with-mic debug1:Nextauthenticationmethod:gssapi-with-mic debug3:Tryingtoreversemapaddress192.168.3.44. debug1:UnspecifiedGSSfailure.Minorcodemayprovidemoreinformation Cannotdeterminerealmfornumerichostaddress debug1:UnspecifiedGSSfailure.Minorcodemayprovidemoreinformation Cannotdeterminerealmfornumerichostaddress debug1:UnspecifiedGSSfailure.Minorcodemayprovidemoreinformation debug1:UnspecifiedGSSfailure.Minorcodemayprovidemoreinformation Cannotdeterminerealmfornumerichostaddress debug2:wedidnotsendapacket,disablemethod debug3:authmethod_lookuppublickey debug3:remainingpreferred:keyboard-interactive,password debug3:authmethod_is_enabledpublickey debug1:Nextauthenticationmethod:publickey debug1:Tryingprivatekey:/root/.ssh/identity debug3:nosuchidentity:/root/.ssh/identity debug1:Tryingprivatekey:/root/.ssh/id_rsa debug3:nosuchidentity:/root/.ssh/id_rsa debug1:Tryingprivatekey:/root/.ssh/id_dsa debug3:nosuchidentity:/root/.ssh/id_dsa debug1:Tryingprivatekey:/root/.ssh/id_ecdsa debug3:nosuchidentity:/root/.ssh/id_ecdsa debug2:wedidnotsendapacket,disablemethod debug3:authmethod_lookuppassword debug3:remainingpreferred:,password debug3:authmethod_is_enabledpassword debug1:Nextauthenticationmethod:password root@192.168.3.44'spassword:
感谢阅读,希望能帮助到大家,谢谢大家对本站的支持!