Using ssh to connect to other linux machines, it will wait 10-30 seconds before prompting for a password. Seriously affect work efficiency. The login is very slow, and the speed is normal after logging in. There are two possible reasons for this situation:
1. The problem of DNS reverse resolution
OpenSSH will verify the IP when the user logs in. It uses reverse DNS to find the host name according to the user's IP, then uses DNS to find the IP address, and finally matches whether the logged-in IP is legal. If the client's IP does not have a domain name, or if the DNS server is slow or unreachable, logging in can take a long time.
Solution:
Modify the sshd server-side configuration on the target server and restart sshd
vi /etc/ssh/sshd_config, set UseDNS to no
Of course, it can also be solved by providing the correct reverse DNS resolution method. There are two ideas as follows:
(1) Add the commonly used ip and hostname to the /etc/hosts file on the server, and then check in /etc/nsswitch.conf whether the program first queries the hosts file (usually the default is the case).
Modify the hosts file on the server and add the IP and domain name of the target machine. Or let the local DNS server resolve the target address.
vi /etc/hosts
192.168.12.16 ourdev
The format is "target machine IP target machine name" This method facilitates. Connected without delay. However, if you add a domain name resolution to each unit, it will be very hard. But this method can be used when using putty or secure-crt under windows.
(2) Start a dns server (can be a local machine), add reverse parsing, and add this dns server to /etc/resolv.conf.
2. Disable gssapi authentication for ssh
Use ssh -v user@server to see the following information when logging in:
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Note: ssh -vvv user@server can see more detailed debug information
Solution:
Modify the ssh client configuration on the client (note not sshd_conf)
vi /etc/ssh/ssh_config, set GSSAPIAuthentication no and restart sshd
You can log in with ssh -o GSSAPIAuthentication=no user@server
GSSAPI (Generic Security Services Application Programming Interface) is a set of general network security system interfaces similar to Kerberos 5. This interface is the encapsulation of various client-server security mechanisms to eliminate differences in security interfaces and reduce programming difficulty. But this interface will have problems when the target machine has no domain name resolution
After viewing with strace, it is found that after ssh has verified the key, it performs authentication gssapi-with-mic. At this time, it first connects to the DNS server, and then other operations will be performed.