Ssh
使用CentOS7登錄時延遲很長
我有一個 CentOS 7 系統,當我使用 putty 或 ssh 登錄時,在收到密碼提示之前有很長的延遲。我跑了 ssh -v ,我發現它可以做到這一點:
debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received
然後它在那裡坐了 1-2 分鐘,然後這個輸出爆炸了:
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Next authentication method: publickey debug1: Trying private key: /home/motor/.ssh/id_rsa debug1: Trying private key: /home/motor/.ssh/id_dsa debug1: Trying private key: /home/motor/.ssh/id_ecdsa debug1: Trying private key: /home/motor/.ssh/id_ed25519 debug1: Next authentication method: password
然後密碼提示出來了。無論哪個使用者登錄都會發生這種情況。它只發生在 1 個系統上。我還有 5 個其他人可以毫不拖延地進行。
日誌中沒有磁碟或記憶體或任何其他錯誤。
什麼可能導致它像這樣延遲?
更新:
我嘗試設置
GSSAPIAuthentication
為 no 並沒有解決問題。我再次執行 ssh,這次使用 -vvv。這個輸出出來了,然後它掛了:
debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/motor/.ssh/id_rsa ((nil)), debug2: key: /home/motor/.ssh/id_dsa ((nil)), debug2: key: /home/motor/.ssh/id_ecdsa ((nil)), debug2: key: /home/motor/.ssh/id_ed25519 ((nil)),
1-2分鐘後,出現了:
debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/motor/.ssh/id_rsa debug3: no such identity: /home/motor/.ssh/id_rsa: No such file or directory debug1: Trying private key: /home/motor/.ssh/id_dsa debug3: no such identity: /home/motor/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/motor/.ssh/id_ecdsa debug3: no such identity: /home/motor/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /home/motor/.ssh/id_ed25519 debug3: no such identity: /home/motor/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password
然後是密碼提示。
在
/etc/ssh/sshd_config
遠端伺服器上,您應該將選項更改GSSAPIAuthentication
為否。重新啟動 sshd,您應該一切順利。編輯:GSSAPI(通用安全服務應用程序程式介面)本質上是一個利用 Kerberos 庫提供強大網路加密的 API。除非有特殊原因需要啟用 GSSAPI,否則此方法應該可以解決您遇到的問題。
edit2:為清楚起見,反向 DNS 檢查也可能超時(特別是檢查連接主機的 PTR 記錄)。SSH 會理所當然地執行此檢查,因為它充當驗證連接主機的安全措施。
話雖如此,該過程在真正的安全性方面並沒有增加太多,因為實際上有很大一部分主機無論如何都沒有 PTR。有三種方法可以解決此問題:
1)。您可以修改
sshd_config
文件以使用該UseDNS no
參數。這將停止反向 DNS 查找。這樣做是安全的。2)。在適當的 DNS 系統中為連接緩慢的主機添加 PTR 記錄。
3)。使用相關條目將手動條目添加到 OS
hosts
文件中。希望有幫助!