[Switch] ssh logon is slow. Solution: ssh logon Solution
If you use an ssh client (such as putty) to connect to a Linux server, it may take 10-30 seconds to prompt you to enter the password. It seriously affects work efficiency. Logons are slow and the logon speed is normal after logon. There are two possible reasons for this situation:
1. DNS reverse resolution Problems
OpenSSH will verify the IP address when you log on. It uses reverse DNS to locate the host name based on the user's IP address, then uses DNS to locate the IP address, and finally matches whether the logon IP address is valid. If the IP address of the client does not have a domain name, or the DNS server is slow or inaccessible, it will take a long time to log on.
Solution:Modify the sshd server configuration on the target server and Restart sshd.
- Vi/etc/ssh/sshd_config
- UseDNS no
2. Disable gssapi authentication for ssh
Use ssh-v user @ server to view the following information during logon:
- Debug1: Next authentication method: gssapi-with-mic
- Debug1: Unspecified GSS failure. Minor code may provide more information
Note:Ssh-vvv user @ server can see more detailed debug information
Solution:
Modify sshd server configuration
- Vi/etc/ssh/ssh_config
- GSSAPIAuthentication no
AvailableSsh-o GSSAPIAuthentication = no user @ serverLogin
GSSAPI (Generic Security Services Application Programming Interface) is a set of universal network Security system interfaces similar to Kerberos 5. This interface is encapsulated by different client server security mechanisms to eliminate different security interfaces and reduce programming difficulty. However, this interface may cause problems when the target machine does not have domain name resolution.
After you use strace to view the key, you will find that ssh authenticates gssapi-with-mic after the key is verified. Then, connect to the DNS server and perform other operations.
- [Root @ 192-168-3-40 ~] # Ssh-vvv root@192.168.3.44
- OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
- Debug1: Reading configuration data/etc/ssh/ssh_config
- Debug1: Applying options *
- Debug2: ssh_connect: needpriv 0
- Debug1: Connecting to 192.168.3.44 [192.168.3.44] port 22.
- Debug1: Connection established.
- Debug1: permanently_set_uid: 0/0
- Debug1: identity file/root/. ssh/identity type-1
- Debug1: identity file/root/. ssh/identity-cert type-1
- Debug1: identity file/root/. ssh/id_rsa type-1
- Debug1: identity file/root/. ssh/id_rsa-cert-type-1
- Debug1: identity file/root/. ssh/id_dsa type-1
- Debug1: identity file/root/. ssh/id_dsa-cert-type-1
- Debug1: identity file/root/. ssh/id_ecdsa type-1
- Debug1: identity file/root/. ssh/id_ecdsa-cert-type-1
- Debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
- Debug1: match: OpenSSH_5.3 pat OpenSSH *
- Debug1: Enabling compatibility mode for protocol 2.0
- Debug1: Local version string SSH-2.0-OpenSSH_5.3
- Debug2: fd 3 setting O_NONBLOCK
- Debug1: SSH2_MSG_KEXINIT sent
- Debug3: Wrote 960 bytes for a total of 981
- Debug1: SSH2_MSG_KEXINIT initialized ed
- Debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
- Debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com, ssh-dss-cert-v01@openssh.com, ssh-rsa-cert-v00@openssh.com, ssh-dss-cert-v00@openssh.com, ssh-rsa, ssh-dss
- Debug2: kex_parse_kexinit: aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
- Debug2: kex_parse_kexinit: aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
- Debug2: kex_parse_kexinit: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-ripemd160, hmac-ripemd160@openssh.com
- Debug2: kex_parse_kexinit: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-ripemd160, hmac-ripemd160@openssh.com
- Debug2: kex_parse_kexinit: none, zlib@openssh.com, zlib
- Debug2: kex_parse_kexinit: none, zlib@openssh.com, zlib
- Debug2: kex_parse_kexinit:
- Debug2: kex_parse_kexinit:
- Debug2: kex_parse_kexinit: first_kex_follows 0
- Debug2: kex_parse_kexinit: reserved 0
- Debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
- Debug2: kex_parse_kexinit: ssh-rsa, ssh-dss
- Debug2: kex_parse_kexinit: aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
- Debug2: kex_parse_kexinit: aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
- Debug2: kex_parse_kexinit: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-ripemd160, hmac-ripemd160@openssh.com
- Debug2: kex_parse_kexinit: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-ripemd160, hmac-ripemd160@openssh.com
- Debug2: kex_parse_kexinit: none, zlib@openssh.com
- Debug2: kex_parse_kexinit: none, zlib@openssh.com
- Debug2: kex_parse_kexinit:
- Debug2: kex_parse_kexinit:
- Debug2: kex_parse_kexinit: first_kex_follows 0
- Debug2: kex_parse_kexinit: reserved 0
- Debug2: mac_setup: found hmac-md5
- Debug1: kex: server-> client aes128-ctr hmac-md5 none
- Debug2: mac_setup: found hmac-md5
- Debug1: kex: client-> server aes128-ctr hmac-md5 none
- Debug1: SSH2_MSG_KEX_DH_GEX_REQUEST (1024 <1024) sent
- Debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
- Debug3: Wrote 24 bytes for a total of 1005
- Debug2: dh_gen_key: priv key bits set: 120/256
- Debug2: bits set: 506/1024
- Debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
- Debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
- Debug3: Wrote 144 bytes for a total of 1149
- Debug3: check_host_in_hostfile: host 192.168.3.44 filename/root/. ssh/known_hosts
- Debug3: check_host_in_hostfile: host 192.168.3.44 filename/root/. ssh/known_hosts
- Debug3: check_host_in_hostfile: match line 8
- Debug1: Host '192. 168.3.44 'is known and matches the RSA host key.
- Debug1: Found key in/root/. ssh/known_hosts: 8
- Debug2: bits set: 527/1024
- Debug1: ssh_rsa_verify: signature correct
- Debug2: kex_derive_keys
- Debug2: set_newkeys: mode 1
- Debug1: SSH2_MSG_NEWKEYS sent
- Debug1: expecting SSH2_MSG_NEWKEYS
- Debug3: Wrote 16 bytes for a total of 1165
- Debug2: set_newkeys: mode 0
- Debug1: SSH2_MSG_NEWKEYS received ed
- Debug1: SSH2_MSG_SERVICE_REQUEST sent
- Debug3: Wrote 48 bytes for a total of 1213
- Debug2: service_accept: ssh-userauth
- Debug1: SSH2_MSG_SERVICE_ACCEPT received ed
- Debug2: key:/root/. ssh/identity (nil ))
- Debug2: key:/root/. ssh/id_rsa (nil ))
- Debug2: key:/root/. ssh/id_dsa (nil ))
- Debug2: key:/root/. ssh/id_ecdsa (nil ))
- Debug3: Wrote 64 bytes for a total of 1277
- Debug1: Authentications that can continue: publickey, gssapi-keyex, gssapi-with-mic, password
- Debug3: start over, passed a different list publickey, gssapi-keyex, gssapi-with-mic, password
- Debug3: preferred gssapi-keyex, gssapi-with-mic, publickey, keyboard-interactive, password
- Debug3: authmethod_lookup gssapi-keyex
- Debug3: remaining preferred: gssapi-with-mic, publickey, keyboard-interactive, password
- Debug3: authmethod_is_enabled gssapi-keyex
- Debug1: Next authentication method: gssapi-keyex
- Debug1: No valid Key exchange context
- Debug2: we did not send a packet, disable method
- Debug3: authmethod_lookup gssapi-with-mic
- Debug3: remaining preferred: publickey, keyboard-interactive, password
- Debug3: authmethod_is_enabled gssapi-with-mic
- Debug1: Next authentication method: gssapi-with-mic
- Debug3: Trying to reverse map address 192.168.3.44.
- Debug1: Unspecified GSS failure. Minor code may provide more information
- Cannot determine realm for numeric host address
- Debug1: Unspecified GSS failure. Minor code may provide more information
- Cannot determine realm for numeric host address
- Debug1: Unspecified GSS failure. Minor code may provide more information
- Debug1: Unspecified GSS failure. Minor code may provide more information
- Cannot determine realm for numeric host address
- Debug2: we did not send a packet, disable method
- Debug3: authmethod_lookup publickey
- Debug3: remaining preferred: keyboard-interactive, password
- Debug3: authmethod_is_enabled publickey
- Debug1: Next authentication method: publickey
- Debug1: Trying private key:/root/. ssh/identity
- Debug3: no such identity:/root/. ssh/identity
- Debug1: Trying private key:/root/. ssh/id_rsa
- Debug3: no such identity:/root/. ssh/id_rsa
- Debug1: Trying private key:/root/. ssh/id_dsa
- Debug3: no such identity:/root/. ssh/id_dsa
- Debug1: Trying private key:/root/. ssh/id_ecdsa
- Debug3: no such identity:/root/. ssh/id_ecdsa
- Debug2: we did not send a packet, disable method
- Debug3: authmethod_lookup password
- Debug3: remaining preferred:, password
- Debug3: authmethod_is_enabled password
- Debug1: Next authentication method: password
- Root@192.168.3.44's password:
This article is reproduced in: https://blog.linuxeye.com/420.html