CentOS伺服器SSH登入慢案例分析

CentOS伺服器SSH登入慢案例分析

手頭有台Linux伺服器ssh登入時超級慢，需要幾十秒。其它伺服器均沒有這個問題。平時登入操作都默默忍了。今天終於忍不住想搞清楚到底什麼原因。搜尋了一下發現了很多關於ssh登入慢的資料，於是自己也學著來分析、印證一下ssh登入慢的原因。

出現ssh登入慢一般有兩個原因：DNS反向解析的問題和ssh的gssapi認證

1：ssh的gssapi認證問題

GSSAPI ( Generic Security Services Application Programming Interface) 是一套類似Kerberos 5 的通用網路安全系統介面。該介面是對各種不同的用戶端伺服器安全機制的封裝，以消除安全介面的不同，降低編程難度。但該介面在目標機器無網域名稱解析時會有問題

預設情況下，GSSAPIAuthentication在伺服器端和用戶端都啟用的。如果DNS服務出現問題，那麼登入過程要等到DNS查詢逾時後才能繼續，這就是為什麼SSH登入提示符要等很久才出現的原因。 為什麼ssh登入過程中要用到DNS解析服務呢？這個是GSSAPI認證方式需要的緣故。

所以在設定檔/etc/ssh/sshd_config(伺服器)或/etc/ssh/ssh_config（用戶端）將參數GSSAPIAuthentication設定為no可以解決ssh登入慢的問題。

2：DNS反向解析的問題

OpenSSH在使用者登入的時候會驗證IP，它根據使用者的IP使用反向DNS找到主機名稱，再使用DNS找到IP地址，最後匹配一下登入的IP是否合法。如果客戶機的IP沒有網域名稱，或者DNS伺服器很慢或不通，那麼登入就會很花時間。

問題分析：

首先可以在ssh命令後面加上“-v“ 參數，輸出debug資訊定位問題。 具體操作為ssh -vroot@serverip

[root@localhost ~]# ssh -v root@192.168.xxx.xxx

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to 192.168.xxx.xxx [192.168.xxx.xxx] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: loaded 3 keys

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3

debug1: match: OpenSSH_4.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

The authenticity of host '192.168.xxx.xxx (192.168.xxx.xxx)' can't be established.

RSA key fingerprint is 04:08:57:22:7e:8d:dc:d3:8e:91:20:d0:ba:d9:ed:78.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.xxx.xxx' (RSA) to the list of known hosts.

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,gssapi-with-mic,password

debug1: Next authentication method: gssapi-with-mic

debug1: Unspecified GSS failure. Minor code may provide more information

No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information

No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information

No credentials cache found

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/identity

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Next authentication method: password

root@192.168.xxx.xxx's password: 

debug1: Authentication succeeded (password).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Last login: Sun Sep 6 08:30:47 2015 from 192.168.7.222

[root@ceglnx01 ~]# 

從上面輸出資訊看到有關於Unspecified GSS failure，於是我將/etc/ssh/sshd_config(伺服器)或/etc/ssh/ssh_config（用戶端）將參數GSSAPIAuthentication設定為no，重啟了sshd服務，測試發現ssh登入還是很慢。

[root@localhost ~]# service sshd status

openssh-daemon (pid 3594) is running...

[root@localhost ~]# service sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

那麼原因應該是DNS反向解析的問題，關於DNS反向解析的問題有幾個解決方案：

1：在server上/etc/hosts檔案中把常用的ip和hostname加入，然後在/etc/nsswitch.conf看看程式是否先查詢hosts檔案

2：在server上/etc/ssh/sshd_config檔案中修改或加入UseDNS=no。然後重啟sshd服務

我在/etc/ssh/sshd_config上將UseDNS設定為no,重啟sshd服務後，然後測試ssh連線速度。果然飛快串連上。看來主要還是DNS反向解析的問題。