Ssh

使用CentOS7登錄時延遲很長

  • November 14, 2019

我有一個 CentOS 7 系統,當我使用 putty 或 ssh 登錄時,在收到密碼提示之前有很長的延遲。我跑了 ssh -v ,我發現它可以做到這一點:

debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

然後它在那裡坐了 1-2 分鐘,然後這個輸出爆炸了:

debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure.  Minor code may provide more information
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Trying private key: /home/motor/.ssh/id_rsa
debug1: Trying private key: /home/motor/.ssh/id_dsa
debug1: Trying private key: /home/motor/.ssh/id_ecdsa
debug1: Trying private key: /home/motor/.ssh/id_ed25519
debug1: Next authentication method: password

然後密碼提示出來了。無論哪個使用者登錄都會發生這種情況。它只發生在 1 個系統上。我還有 5 個其他人可以毫不拖延地進行。

日誌中沒有磁碟或記憶體或任何其他錯誤。

什麼可能導致它像這樣延遲?

更新:

我嘗試設置GSSAPIAuthentication為 no 並沒有解決問題。

我再次執行 ssh,這次使用 -vvv。這個輸出出來了,然後它掛了:

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/motor/.ssh/id_rsa ((nil)),
debug2: key: /home/motor/.ssh/id_dsa ((nil)),
debug2: key: /home/motor/.ssh/id_ecdsa ((nil)),
debug2: key: /home/motor/.ssh/id_ed25519 ((nil)),

1-2分鐘後,出現了:

debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/motor/.ssh/id_rsa
debug3: no such identity: /home/motor/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/motor/.ssh/id_dsa
debug3: no such identity: /home/motor/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/motor/.ssh/id_ecdsa
debug3: no such identity: /home/motor/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/motor/.ssh/id_ed25519
debug3: no such identity: /home/motor/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

然後是密碼提示。

/etc/ssh/sshd_config遠端伺服器上,您應該將選項更改GSSAPIAuthentication為否。重新啟動 sshd,您應該一切順利。

編輯:GSSAPI(通用安全服務應用程序程式介面)本質上是一個利用 Kerberos 庫提供強大網路加密的 API。除非有特殊原因需要啟用 GSSAPI,否則此方法應該可以解決您遇到的問題。

edit2:為清楚起見,反向 DNS 檢查也可能超時(特別是檢查連接主機的 PTR 記錄)。SSH 會理所當然地執行此檢查,因為它充當驗證連接主機的安全措施。

話雖如此,該過程在真正的安全性方面並沒有增加太多,因為實際上有很大一部分主機無論如何都沒有 PTR。有三種方法可以解決此問題:

1)。您可以修改sshd_config文件以使用該UseDNS no參數。這將停止反向 DNS 查找。這樣做是安全的。

2)。在適當的 DNS 系統中為連接緩慢的主機添加 PTR 記錄。

3)。使用相關條目將手動條目添加到 OShosts文件中。

希望有幫助!

引用自:https://serverfault.com/questions/815538