CentOS7 SSH登陆慢的解决方法简述

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CentOS7 SSH登陆慢的解决方法简述相关的知识,希望对你有一定的参考价值。

1、首先用ssh调试一下sshd服务,会输出一下信息:

[[email protected] ~]# ssh -v [email protected]

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 56: Applying options for *

debug1: Connecting to 192.168.1.131 [192.168.1.131] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: SELinux support enabled

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: identity file /root/.ssh/id_ecdsa type -1

debug1: identity file /root/.ssh/id_ecdsa-cert type -1

debug1: identity file /root/.ssh/id_ed25519 type -1

debug1: identity file /root/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1

debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr [email protected] none

debug1: kex: client->server aes128-ctr [email protected] none

debug1: kex: [email protected] need=16 dh_need=16

debug1: kex: [email protected] need=16 dh_need=16

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA 14:ec:5c:f5:36:8b:30:f1:9d:50:4c:41:01:f2:ef:5a

The authenticity of host ‘192.168.1.131 (192.168.1.131)‘ can‘t be established.

ECDSA key fingerprint is 14:ec:5c:f5:36:8b:30:f1:9d:50:4c:41:01:f2:ef:5a.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.1.131‘ (ECDSA) to the list of known hosts.

debug1: ssh_ecdsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Next authentication method: gssapi-keyex

debug1: No valid Key exchange context

debug1: Next authentication method: gssapi-with-mic

debug1: Unspecified GSS failure.  Minor code may provide more information

No Kerberos credentials available


debug1: Unspecified GSS failure.  Minor code may provide more information

No Kerberos credentials available


debug1: Unspecified GSS failure.  Minor code may provide more information



debug1: Unspecified GSS failure.  Minor code may provide more information

No Kerberos credentials available


debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Trying private key: /root/.ssh/id_ecdsa

debug1: Trying private key: /root/.ssh/id_ed25519

debug1: Next authentication method: password

[email protected]‘s password: 

debug1: Authentication succeeded (password).

Authenticated to 192.168.1.131 ([192.168.1.131]:22).

debug1: channel 0: new [client-session]

debug1: Requesting [email protected]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Last login: Fri Apr  1 09:13:02 2016 from 192.168.1.197


修改sshd的配置文件/etc/ssh/sshd_config把UseDNS 设置成no,把 GSSAPIAuthentication 设置成no

[[email protected] ~]# egrep -i ‘UseDNS|GSSAPIAuthentication‘ /etc/ssh/sshd_config 

GSSAPIAuthentication no

UseDNS no


以下是修改完sshd配置文件后调试输出的结果,是不是少了许多信息呀:

[[email protected] ~]# ssh -v [email protected]

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 56: Applying options for *

debug1: Connecting to 192.168.1.131 [192.168.1.131] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: identity file /root/.ssh/id_ecdsa type -1

debug1: identity file /root/.ssh/id_ecdsa-cert type -1

debug1: identity file /root/.ssh/id_ed25519 type -1

debug1: identity file /root/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1

debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr [email protected] none

debug1: kex: client->server aes128-ctr [email protected] none

debug1: kex: [email protected] need=16 dh_need=16

debug1: kex: [email protected] need=16 dh_need=16

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA 14:ec:5c:f5:36:8b:30:f1:9d:50:4c:41:01:f2:ef:5a

debug1: Host ‘192.168.1.131‘ is known and matches the ECDSA host key.

debug1: Found key in /root/.ssh/known_hosts:1

debug1: ssh_ecdsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Trying private key: /root/.ssh/id_ecdsa

debug1: Trying private key: /root/.ssh/id_ed25519

debug1: Next authentication method: password

[email protected]‘s password: 

debug1: Authentication succeeded (password).

Authenticated to 192.168.1.131 ([192.168.1.131]:22).

debug1: channel 0: new [client-session]

debug1: Requesting [email protected]



以下是UseDNS和GSSAPIAuthentication这两个选项的简单说明:

UseDNS no

OpenSSH在用户登录的时候会验证IP,它根据用户的IP使用反向DNS找到主机名,再使用DNS找到IP地址,最后匹配一下登录的IP是否合法。如果客户机的IP没有域名,或者DNS服务器很慢或不通,那么登录就会很花时间。

GSSAPIAuthentication no

可以使用ssh -o GSSAPIAuthentication=no [email protected]登录

GSSAPI ( Generic Security Services Application Programming Interface) 是一套类似Kerberos 5的通用网络安全系统接口。该接口是对各种不同的客户端服务器安全机制的封装,以消除安全接口的不同,降低编程难度。但该接口在目标机器无域名解析时会有问题,使用strace查看后发现,ssh在验证完key之后,进行authentication gssapi-with-mic,此时先去连接DNS服务器,在这之后会进行其他操作。


本文出自 “放牛娃” 博客,请务必保留此出处http://fangniuwa.blog.51cto.com/10209030/1759402

以上是关于CentOS7 SSH登陆慢的解决方法简述的主要内容,如果未能解决你的问题,请参考以下文章

Linux ssh登陆慢的两种原因分析

Centos7无法使用ssh登陆及解决方案

解决ssh登陆很慢的问题

解决Centos ssh 连接慢的问题

Linux系统下ssh登陆很慢的解决办法

配置BUG-Linux系统下ssh登陆很慢的解决办法