SSH Connection Super Slow resolution

There is a Linux server on hand SSH login super slow, need dozens of seconds. None of the other servers have this problem. Usually login operation silently endure. Today, I can't help but figure out what the reason is. Search for a little bit of information about SSH login slow, so I also learned to analyze, verify that SSH login slow reasons.

There are two reasons for SSH logon slow: DNS reverse resolution problem and SSH GSSAPI authentication

1:SSH's GSSAPI certification problem

GSSAPI (Generic Security Services application Programming Interface) is a common network security system interface similar to Kerberos 5. This interface is a package of different client server security mechanisms to eliminate the different security interfaces and reduce programming difficulty. However, this interface will be problematic if the target machine has no domain name resolution.

By default, Gssapiauthentication is activated on both the server side and the client. If there is a problem with the DNS service, the logon process waits until the DNS query times out before it can continue, which is why the SSH logon prompt waits a long time to appear. Why is the DNS parsing service used during SSH login? This is the reason why the GSSAPI authentication method is needed.

Therefore, setting the parameter gssapiauthentication to No in profile/etc/ssh/sshd_config (server) or/etc/ssh/ssh_config (client) can resolve the problem of SSH logon slow.

The problem of 2:dns inverse parsing

OPENSSH will authenticate the IP when the user logs in, it locates the hostname according to the user's IP using reverse DNS, then uses DNS to find the IP address, and finally matches the login IP is legitimate. If the client's IP does not have a domain name, or if the DNS server is slow or not, logging in will take time.

Problem Analysis:

First, you can add the "-V" parameter after the SSH command to output the debug information location problem. Specific operation for SSH-V [email protected]

[Email protected] ~]# ssh-v [email protected]

OPENSSH_4.3P2, OpenSSL 0.9.8e-fips-rhel5 Jul 2008

Debug1:reading Configuration Data/etc/ssh/ssh_config

Debug1:applying Options for *

Debug1:connecting to 192.168.xxx.xxx [192.168.xxx.xxx] Port 22.

Debug1:connection established.

debug1:permanently_set_uid:0/0

Debug1:identity file/root/.ssh/identity type-1

Debug1:identity File/root/.ssh/id_rsa type-1

Debug1:identity FILE/ROOT/.SSH/ID_DSA type-1

Debug1:loaded 3 keys

Debug1:remote Protocol version 2.0, Remote software version openssh_4.3

debug1:match:openssh_4.3 Pat Openssh*

debug1:enabling compatibility Mode for Protocol 2.0

Debug1:local Version string ssh-2.0-openssh_4.3

Debug1:ssh2_msg_kexinit sent

Debug1:ssh2_msg_kexinit received

Debug1:kex:server->client aes128-ctr hmac-md5 None

Debug1:kex:client->server aes128-ctr hmac-md5 None

Debug1:ssh2_msg_kex_dh_gex_request (1024<1024<8192) sent

Debug1:expecting Ssh2_msg_kex_dh_gex_group

Debug1:ssh2_msg_kex_dh_gex_init sent

Debug1:expecting ssh2_msg_kex_dh_gex_reply

The authenticity of host ' 192.168.xxx.xxx (192.168.xxx.xxx) ' can ' t be established.

RSA key fingerprint is 04:08:57:22:7e:8d:dc:d3:8e:91:20:d0:ba:d9:ed:78.

Is you sure want to continue connecting (yes/no)? Yes

warning:permanently added ' 192.168.xxx.xxx ' (RSA) to the list of known hosts.

Debug1:ssh_rsa_verify:signature correct

Debug1:ssh2_msg_newkeys sent

Debug1:expecting Ssh2_msg_newkeys

Debug1:ssh2_msg_newkeys received

Debug1:ssh2_msg_service_request sent

Debug1:ssh2_msg_service_accept received

Debug1:authentications that can Continue:publickey,gssapi-with-mic,password

Debug1:next Authentication Method:gssapi-with-mic

Debug1:unspecified GSS failure. Minor code may provide more information

No Credentials Cache found

Debug1:unspecified GSS failure. Minor code may provide more information

No Credentials Cache found

Debug1:unspecified GSS failure. Minor code may provide more information

No Credentials Cache found

Debug1:next Authentication Method:publickey

Debug1:trying private key:/root/.ssh/identity

Debug1:trying private key:/root/.ssh/id_rsa

Debug1:trying private key:/ROOT/.SSH/ID_DSA

Debug1:next Authentication Method:password

Debug1:authentication succeeded (password).

Debug1:channel 0:new [Client-session]

Debug1:entering Interactive session.

debug1:sending environment.

debug1:sending env LANG = en_US. UTF-8

Last Login:sun Sep 6 08:30:47 from 192.168.7.222

From the above output information see related to unspecified GSS failure, so I will/etc/ssh/sshd_config (server) or/etc/ssh/ssh_ Config (client) set the parameter gssapiauthentication to no, restarted the sshd service, and the test found that SSH logon is still slow.

[[Email protected] ~]# service sshd status

Openssh-daemon (PID 3594) is running ...

[[Email protected] ~]# service sshd restart

stopping sshd: [OK]

Starting sshd: [OK]

The reason should be the DNS reverse resolution problem, there are several workarounds for DNS reverse resolution:

1: Add the usual IP and hostname to the/etc/hosts file on the server, and then/etc/nsswitch.conf see if the program queries the hosts file first

2: Modify or add Usedns=no to the/etc/ssh/sshd_config file on the server. Then restart the SSHD service

I set Usedns to No on/etc/ssh/sshd_config, restart the sshd service, and then test the SSH connection speed. Sure enough, to connect quickly. It seems that the main problem is DNS reverse resolution.

SSH Connection Super Slow resolution