ssh远程登录Linux卡慢的全过程排查及解决方案
前言:
在linux操作系统使用过程中偶然一次感到使用ssh远程连接软件连接操作系统需要等待许久,第一次没在意,第二次也没在意,第三次有点忍受不住了,就抽时间想解决掉这个问题,顺便写下这篇博文已帮助更多的人解决次烦恼。
ssh慢普遍原因是因为DNS解析导致,如果还不行那就查看ssh远程登录的全过程。那么,实战正式开始~
测试环境:
1 CentOS 6.7 2.6.32-573.el6.x86_64
更改ssh配置文件设置禁用DNS解析:
1、在ssh服务端上更改/etc/ssh/sshd_config文件中的配置为如下内容:
1 UseDNS no
然后,保存并退出,执行/etc/init.d/sshd restart重启sshd进程使上述配置生效,在连接应该就不慢了。如果再慢就要使用如下排除过程。
排查过程:
首先用到的命令就是:ssh -v 相信大家对此并不陌生,工欲善其事必先利其器,现在有了,那就可以开始浪了~
1 [root@6 ~]# ssh -v root@192.168.222.129 2 OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 3 debug1: Reading configuration data /etc/ssh/ssh_config 4 debug1: Applying options for * 5 debug1: Connecting to 192.168.222.129 [192.168.222.129] port 22. 6 debug1: Connection established. 7 debug1: permanently_set_uid: 0/0 8 debug1: identity file /root/.ssh/identity type -1 9 debug1: identity file /root/.ssh/identity-cert type -1 10 debug1: identity file /root/.ssh/id_rsa type -1 11 debug1: identity file /root/.ssh/id_rsa-cert type -1 12 debug1: identity file /root/.ssh/id_dsa type -1 13 debug1: identity file /root/.ssh/id_dsa-cert type -1 14 debug1: identity file /root/.ssh/id_ecdsa type -1 15 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 16 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 17 debug1: match: OpenSSH_5.3 pat OpenSSH* 18 debug1: Enabling compatibility mode for protocol 2.0 19 debug1: Local version string SSH-2.0-OpenSSH_5.3 20 debug1: SSH2_MSG_KEXINIT sent 21 debug1: SSH2_MSG_KEXINIT received 22 debug1: kex: server->client aes128-ctr hmac-md5 none 23 debug1: kex: client->server aes128-ctr hmac-md5 none 24 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent 25 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP 26 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent 27 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY 28 The authenticity of host '192.168.222.129 (192.168.222.129)' can't be established. 29 RSA key fingerprint is 83:bf:ab:33:07:86:11:d4:33:56:ab:a7:34:77:d3:f9. 30 Are you sure you want to continue connecting (yes/no)? y #此处手残,顺手打了个“y” 正确的在下面 - -、 31 Please type 'yes' or 'no': yes 我是正确的 ☺ 32 Warning: Permanently added '192.168.222.129' (RSA) to the list of known hosts. 33 debug1: ssh_rsa_verify: signature correct 34 debug1: SSH2_MSG_NEWKEYS sent 35 debug1: expecting SSH2_MSG_NEWKEYS 36 debug1: SSH2_MSG_NEWKEYS received 37 debug1: SSH2_MSG_SERVICE_REQUEST sent 38 debug1: SSH2_MSG_SERVICE_ACCEPT received 39 40 41 那么重点来了。当执行到此环节的是出现了卡顿的现象,博主机智的敲了几下回车与其隔开方便后来查看~
42 好吧言归正传...
43 44 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password #此处提示认证可以继续。but......下面似乎没有那么顺利 45 debug1: Next authentication method: gssapi-keyex #下一步验证方法:GSSAPI-keyex~ 46 debug1: No valid Key exchange context #好吧,似乎也死掉了。。提示木有有效的密钥交换环境,也就是说 47 debug1: Next authentication method: gssapi-with-mic #可以看出此处系统不死心。。又使用下一个验证方法:gssapi-with-mic,但是以失败告终,那么我们再往后看。
48 49 50 51 52 reverse mapping checking getaddrinfo for bogon [192.168.222.129] failed - POSSIBLE BREAK-IN ATTEMPT! 53 debug1: Unspecified GSS failure. Minor code may provide more information 54 Credentials cache file '/tmp/krb5cc_0' not found 55 56 debug1: Unspecified GSS failure. Minor code may provide more information 57 Credentials cache file '/tmp/krb5cc_0' not found 58 59 debug1: Unspecified GSS failure. Minor code may provide more information 60 61 62 debug1: Unspecified GSS failure. Minor code may provide more information 63 Credentials cache file '/tmp/krb5cc_0' not found 64 65 debug1: Next authentication method: publickey #经过几次挫折,系统放弃了..启用了publickey验证方式 66 debug1: Trying private key: /root/.ssh/identity 67 debug1: Trying private key: /root/.ssh/id_rsa 68 debug1: Trying private key: /root/.ssh/id_dsa 69 debug1: Trying private key: /root/.ssh/id_ecdsa 70 debug1: Next authentication method: password 71 root@192.168.222.129's password:
从上面反馈的结果中我们发现,是GSSAPI验证在捣鬼,那我们将其禁用不就好了。。
解决方法:
首先编辑ssh配置文件:
vim /etc/ssh/sshd_config
1 # GSSAPI options 2 #GSSAPIAuthentication no 3 GSSAPIAuthentication yes #←这一行大约在文档的第81行,我们看到它开启了yes的状态,而GSSAPIAuthentication no被无情的注释掉了。。。我们可以将其放出来,,或者将yes改成no
4 #GSSAPICleanupCredentials yes
5 GSSAPICleanupCredentials yes
6 #GSSAPIStrictAcceptorCheck yes
7 #GSSAPIKeyExchange no
然后保存退出:wq 重启一下ssh服务即可。
ok这样基本就解决了所有问题~