SSH login is very slow problem solving

Using ssh to connect to other linux machines, it will wait 10-30 seconds before prompting for a password. Seriously affect work efficiency. The login is very slow, and the speed is normal after logging in. There are two possible reasons for this situation:

1. The problem of DNS reverse resolution

OpenSSH will verify the IP when the user logs in. It uses reverse DNS to find the host name according to the user's IP, then uses DNS to find the IP address, and finally matches whether the logged-in IP is legal. If the client's IP does not have a domain name, or if the DNS server is slow or unreachable, logging in can take a long time.

Solution:

Modify the sshd server-side configuration on the target server and restart sshd

vi /etc/ssh/sshd_config, set UseDNS to no

Of course, it can also be solved by providing the correct reverse DNS resolution method. There are two ideas as follows:

(1) Add the commonly used ip and hostname to the /etc/hosts file on the server, and then check in /etc/nsswitch.conf whether the program first queries the hosts file (usually the default is the case).

Modify the hosts file on the server and add the IP and domain name of the target machine. Or let the local DNS server resolve the target address.

vi /etc/hosts

192.168.12.16  ourdev

The format is "target machine IP target machine name" This method facilitates. Connected without delay. However, if you add a domain name resolution to each unit, it will be very hard. But this method can be used when using putty or secure-crt under windows.

(2) Start a dns server (can be a local machine), add reverse parsing, and add this dns server to /etc/resolv.conf.

2. Disable gssapi authentication for ssh

Use ssh -v user@server to see the following information when logging in:

debug1: Next authentication method: gssapi-with-mic

debug1: Unspecified GSS failure. Minor code may provide more information

Note: ssh -vvv user@server can see more detailed debug information

Solution:

Modify the ssh client configuration on the client (note not sshd_conf)

vi /etc/ssh/ssh_config, set GSSAPIAuthentication no and restart sshd

You can log in with ssh -o GSSAPIAuthentication=no user@server

GSSAPI (Generic Security Services Application Programming Interface) is a set of general network security system interfaces similar to Kerberos 5. This interface is the encapsulation of various client-server security mechanisms to eliminate differences in security interfaces and reduce programming difficulty. But this interface will have problems when the target machine has no domain name resolution

After viewing with strace, it is found that after ssh has verified the key, it performs authentication gssapi-with-mic. At this time, it first connects to the DNS server, and then other operations will be performed.

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324686479&siteId=291194637