Solve the problem of slow SSH connection in linux
Currently, SSH remote connection is generally used to connect to a linux server. I recently installed a new server and found that telnet is fast, ping is normal, but SSH connection is slow. There are several reasons for the query:
1. The SERVER's SSHD will go to the DNS to find the HOSTNAME of the accessed client ip address. If the DNS is unavailable or there is no relevant record, it will take some time.
2. In authentication gssapi-with-mic, it sometimes takes some time.
I. Test the specific causes:
1. Use ssh-v host for debugging
# Ssh-v 192.168.100.10
Then a lot of debug messages will be output. The debug information will show where the connection is delayed.
For example, the following information is displayed:
Debug1: Next authentication method: gssapi-with-mic
Debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
2. Check the connection time
# Time ssh root@192.168.100.10 exit
2. solution (we recommend setting one by one because the connection speed is slow for each person ):
Note: After modification, restart the sshd service.
# Service sshd restart
1. Disable reverse DNS resolution
In linux, SSH reverse DNS resolution is enabled by default, which consumes a lot of time and therefore needs to be disabled.
# Vi/etc/ssh/sshd_config
UseDNS = no
In the configuration file, although UseDNS yes is commented out, the default switch is yes.
2. Disable GSS authentication on the SERVER
Authentication gssapi-with-mic may cause problems, so disabling GSS authentication can increase the ssh connection speed.
# Vi/etc/ssh/sshd_config
GSSAPIAuthentication no
3. Modify the nsswitch. conf file on the server.
# Vi/etc/nsswitch. conf
Find
Hosts: files dns
Change
Hosts: files
Hosts: files dns indicates the order in which domain names are resolved for the hosts to be accessed, that is, to first access the file, that is, the/etc/hosts file. If no domain name is recorded in hosts, then, access the dns for domain name resolution. If the dns cannot be accessed, the system will wait until the access times out and return. Therefore, the wait time is long.
Note: If the SERVER needs to access other servers through the domain name, you need to keep this line.
4. Modify the resolv. conf file on the SERVER.
# Vi/etc/resolv. conf
4.1 delete all unused IP addresses.
4.2 Delete All nameservers. The problem can be solved, but the server cannot access the Internet.
4.3 if the SERVER has configured a dual-nic, there will be a line of IP addresses not currently used in this file. Delete this line.
5. Modify the hosts file on the SERVER
Add the Client IP address and HOSTNAME to the/etc/hosts file on the SERVER
6. Open the IgnoreRhosts parameter on the SERVER.
The IgnoreRhosts parameter can ignore records of previously logged-on hosts. Setting it to yes greatly improves the connection speed.
# Vi/etc/ssh/sshd_config
IgnoreRhosts yes
-------------------- The above settings are on the SERVER, the following are set on the CLIENT -----------------------
7. Modify the hosts file of the Client
Add the IP address and domain name of the target SERVER so that the local DNS service can resolve the target address.
# Vi/etc/hosts
192.168.100.11 doiido.com
Note: The hosts file format is 'destination SERVER_IP destination SERVER_NAME '. However, this method has one drawback. If you need to add a domain name resolution for each SERVER.
8. Modify the client configuration file ssh_conf (note that it is not sshd_conf)
# Vi/etc/ssh/ssh_conf
Find
GSSAPIAuthentication yes
Change
GSSAPIAuthentication no