SSH login in Linux slow problem resolution

Source: Internet
Author: User
Tags hmac numeric md5 reserved sha1 ssh reverse dns


Using an SSH client (such as: Putty) to connect to a Linux server may wait 10-30 seconds to prompt for a password. Seriously affect work efficiency. Logon is slow, log on after the normal speed, this situation is mainly for two possible reasons:

1. DNS Reverse resolution problem

OpenSSH when the user log in to authenticate the IP, it is based on the user's IP using reverse DNS to find the host name, and then use DNS to find the IP address, and finally match the IP of the login is legitimate. If the client's IP does not have a domain name, or if the DNS server is slow or not, then the login will take time.
Solution:
Modify the SSHD server-side configuration on the target server and restart sshd

Vi/etc/ssh/sshd_config
Usedns No

2. Turn off SSH's GSSAPI authentication

With Ssh-v User@server you can see the following information when you log in:

Debug1:next Authentication Method:gssapi-with-mic
Debug1:unspecified GSS failure. Minor code may provide more information
Note: SSH-VVV User@server can see more detailed debug information

Solution:
Modifying the SSHD server-side configuration

Vi/etc/ssh/ssh_config
Gssapiauthentication No
You can use Ssh-o gssapiauthentication=no user@server Login

GSSAPI (Generic Security Services application Programming Interface) is a set of common network secure system interfaces similar to Kerberos 5. This interface is an encapsulation of various client server security mechanisms to eliminate the differences in security interfaces and reduce programming difficulty. But the interface is problematic when the target machine has no domain resolution

Using Strace view found that SSH after the verification of key, the authentication gssapi-with-mic, the first to connect to the DNS server, after which there will be other operations

[Root@192-168-3-40 ~]# SSH-VVV root@192.168.3.44
OPENSSH_5.3P1, OpenSSL 1.0.1e-fips Feb 2013
Debug1:reading Configuration Data/etc/ssh/ssh_config
Debug1:applying Options for *
Debug2:ssh_connect:needpriv 0
Debug1:connecting to 192.168.3.44 [192.168.3.44] Port 22.
Debug1:connection established.
debug1:permanently_set_uid:0/0
Debug1:identity file/root/.ssh/identity type-1
Debug1:identity File/root/.ssh/identity-cert type-1
Debug1:identity File/root/.ssh/id_rsa type-1
Debug1:identity File/root/.ssh/id_rsa-cert type-1
Debug1:identity FILE/ROOT/.SSH/ID_DSA type-1
Debug1:identity File/root/.ssh/id_dsa-cert type-1
Debug1:identity FILE/ROOT/.SSH/ID_ECDSA type-1
Debug1:identity File/root/.ssh/id_ecdsa-cert type-1
Debug1:remote Protocol version 2.0, Remote software version openssh_5.3
debug1:match:openssh_5.3 Pat Openssh*
debug1:enabling compatibility Mode for Protocol 2.0
Debug1:local Version string ssh-2.0-openssh_5.3
DEBUG2:FD 3 Setting O_nonblock
Debug1:ssh2_msg_kexinit sent
Debug3:wrote 960 bytes for a total of 981
Debug1:ssh2_msg_kexinit received
DEBUG2:KEX_PARSE_KEXINIT:DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1, Diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Debug2:kex_parse_kexinit:ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, Ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
DEBUG2:KEX_PARSE_KEXINIT:AES128-CTR,AES192-CTR,AES256-CTR,ARCFOUR256,ARCFOUR128,AES128-CBC,3DES-CBC, blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
DEBUG2:KEX_PARSE_KEXINIT:AES128-CTR,AES192-CTR,AES256-CTR,ARCFOUR256,ARCFOUR128,AES128-CBC,3DES-CBC, blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2:kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2:kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Debug2:kex_parse_kexinit:none,zlib@openssh.com,zlib
Debug2:kex_parse_kexinit:none,zlib@openssh.com,zlib
Debug2:kex_parse_kexinit:
Debug2:kex_parse_kexinit:
Debug2:kex_parse_kexinit:first_kex_follows 0
Debug2:kex_parse_kexinit:reserved 0
DEBUG2:KEX_PARSE_KEXINIT:DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1, Diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Debug2:kex_parse_kexinit:ssh-rsa,ssh-dss
DEBUG2:KEX_PARSE_KEXINIT:AES128-CTR,AES192-CTR,AES256-CTR,ARCFOUR256,ARCFOUR128,AES128-CBC,3DES-CBC, blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
DEBUG2:KEX_PARSE_KEXINIT:AES128-CTR,AES192-CTR,AES256-CTR,ARCFOUR256,ARCFOUR128,AES128-CBC,3DES-CBC, blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2:kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2:kex_parse_kexinit:hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Debug2:kex_parse_kexinit:none,zlib@openssh.com
Debug2:kex_parse_kexinit:none,zlib@openssh.com
Debug2:kex_parse_kexinit:
Debug2:kex_parse_kexinit:
Debug2:kex_parse_kexinit:first_kex_follows 0
Debug2:kex_parse_kexinit:reserved 0
Debug2:mac_setup:found HMAC-MD5
Debug1:kex:server->client aes128-ctr hmac-md5 None
Debug2:mac_setup:found HMAC-MD5
Debug1:kex:client->server aes128-ctr hmac-md5 None
Debug1:ssh2_msg_kex_dh_gex_request (1024<1024<8192) sent
Debug1:expecting Ssh2_msg_kex_dh_gex_group
Debug3:wrote bytes for a total of 1005
Debug2:dh_gen_key:priv Key Bits set:120/256
Debug2:bits set:506/1024
Debug1:ssh2_msg_kex_dh_gex_init sent
Debug1:expecting ssh2_msg_kex_dh_gex_reply
Debug3:wrote 144 bytes For a total of 1149
Debug3:check_host_in_hostfile:host 192.168.3.44 filename/root/.ssh/known_hosts
Debug3:check_host_in_hostfile:host 192.168.3.44 filename/root/.ssh/known_hosts
Debug3:check_host_in_hostfile:match Line 8
Debug1:host ' 192.168.3.44 ' is known and matches the RSA Host key.
Debug1:found Key In/root/.ssh/known_hosts:8
Debug2:bits set:527/1024
Debug1:ssh_rsa_verify:signature correct
Debug2:kex_derive_keys
Debug2:set_newkeys:mode 1
Debug1:ssh2_msg_newkeys sent
Debug1:expecting Ssh2_msg_newkeys
Debug3:wrote bytes for a total of 1165
Debug2:set_newkeys:mode 0
Debug1:ssh2_msg_newkeys received
Debug1:ssh2_msg_service_request sent
Debug3:wrote bytes for a total of 1213
Debug2:service_accept:ssh-userauth
Debug1:ssh2_msg_service_accept received
Debug2:key:/root/.ssh/identity ((nil))
Debug2:key:/root/.ssh/id_rsa ((nil))
Debug2:key:/root/.ssh/id_dsa ((nil))
Debug2:key:/root/.ssh/id_ecdsa ((nil))
Debug3:wrote bytes for a total of 1277
Debug1:authentications that can Continue:publickey,gssapi-keyex,gssapi-with-mic,password
Debug3:start over, passed a different list Publickey,gssapi-keyex,gssapi-with-mic,password
Debug3:preferred Gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
Debug3:authmethod_lookup Gssapi-keyex
Debug3:remaining Preferred:gssapi-with-mic,publickey,keyboard-interactive,password
Debug3:authmethod_is_enabled Gssapi-keyex
Debug1:next Authentication Method:gssapi-keyex
Debug1:no Valid Key Exchange context
Debug2:we did not send a packet, disable method
Debug3:authmethod_lookup gssapi-with-mic
Debug3:remaining Preferred:publickey,keyboard-interactive,password
Debug3:authmethod_is_enabled gssapi-with-mic
Debug1:next Authentication Method:gssapi-with-mic
Debug3:trying to reverse map address 192.168.3.44.
Debug1:unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address

Debug1:unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address

Debug1:unspecified GSS failure. Minor code may provide more information


Debug1:unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address

Debug2:we did not send a packet, disable method
Debug3:authmethod_lookup publickey
debug3:remaining Preferre D:keyboard-interactive,password
debug3:authmethod_is_enabled publickey
Debug1:next authentication method: PublicKey
debug1:trying private key:/root/.ssh/identity
Debug3:no such identity:/root/.ssh/identity
Debug 1:trying private key:/root/.ssh/id_rsa
Debug3:no such identity:/root/.ssh/id_rsa
debug1:trying private key:/ ROOT/.SSH/ID_DSA
Debug3:no Such identity:/ROOT/.SSH/ID_DSA
debug1:trying private key:/root/.ssh/id_ecdsa
Debug3:no such identity:/ROOT/.SSH/ID_ECDSA
Debug2:we did not send a packet, disable method
Debug3:authmethod_ Lookup Password
debug3:remaining preferred:, password
debug3:authmethod_is_enabled password
debug1:next au Thentication Method:password
root@192.168.3.44 ' s password:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.