ssh 连接centos服务器很慢的解决办法
现象: 在局域网内,能ping通目标机器,并且时延是微秒级。 用ssh连局域网内其他linux机器,会等待10-30秒才有提示输入密码。严重影响工作效率。 [oracle@service1 ~]$ ping 192.168.1.228 PING 192.168.1.228 (192.168.1.228) 56(84) bytes of data. 64 bytes from 192.168.1.228: icmp_seq=1 ttl=64 time=0.280 ms 64 bytes from 192.168.1.228: icmp_seq=2 ttl=64 time=0.196 ms 64 bytes from 192.168.1.228: icmp_seq=3 ttl=64 time=0.326 ms ^C --- 192.168.1.228 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2986ms rtt min/avg/max/mdev = 0.196/0.267/0.326/0.055 ms 复制时: [oracle@service1 ~]$ scp -rp /home/oracle/xtt2/ 192.168.1.228:/home/oracle/ oracle@192.168.1.228's password: Connection closed by 192.168.1.228 lost connection 调试信息: [oracle@service1 ~]$ ssh -v 192.168.1.228 OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to 192.168.1.228 [192.168.1.228] port 22. debug1: Connection established. debug1: identity file /home/oracle/.ssh/identity type -1 debug1: identity file /home/oracle/.ssh/identity-cert type -1 debug1: identity file /home/oracle/.ssh/id_rsa type -1 debug1: identity file /home/oracle/.ssh/id_rsa-cert type -1 debug1: identity file /home/oracle/.ssh/id_dsa type -1 debug1: identity file /home/oracle/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '192.168.1.228' is known and matches the RSA host key. debug1: Found key in /home/oracle/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Unspecified GSS failure. Minor code may provide more information Cannot determine realm for numeric host address debug1: Unspecified GSS failure. Minor code may provide more information Cannot determine realm for numeric host address debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information Cannot determine realm for numeric host address debug1: Next authentication method: publickey debug1: Trying private key: /home/oracle/.ssh/identity debug1: Trying private key: /home/oracle/.ssh/id_rsa debug1: Trying private key: /home/oracle/.ssh/id_dsa debug1: Next authentication method: password oracle@192.168.1.228's password: Connection closed by 192.168.1.228 有效的解决办法: 1. 修改目标机: [root@service2 ~]# vi /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.228 service2 192.168.1.117 service1 2.修改本机:GSSAPIAuthentication yes →GSSAPIAuthentication no GSSAPI (Generic Security Services Application Programming Interface)是一套类似Kerberos 5 的通用网络安全系统接口。该接口是对各种不同的客户端服务器安全机制的封装,以消除安全接口的不同,降低编程难度。但该接口在目标机器无域名解析时会有问题。我看到有人给ubuntu提交了相关bug,说要将GSSAPIAuthentication的缺省值设为no,不知为何,ubuntu9.10的缺省值还是yes。 [root@service1 ~]# vi /etc/ssh/ssh_config # $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. # Host * # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # GSSAPIKeyExchange no # GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no Host * GSSAPIAuthentication yes # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. ForwardX11Trusted yes # Send locale-related environment variables SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE SendEnv XMODIFIERS 再复制时: [oracle@service1 ~]$ scp -rp /home/oracle/xtt2/ 192.168.1.228:/home/oracle/ oracle@192.168.1.228's password: rman-xttconvert_2.0.zip 100% 26KB 26.3KB/s 00:00 xttcnvrtbkupdest.sql 100% 1390 1.4KB/s 00:00 xttdriver.pl 100% 90KB 89.6KB/s 00:00 xttdbopen.sql 100% 71 0.1KB/s 00:00 xtt.properties 100% 251 0.3KB/s 00:00 xttstartupnomount.sql 100% 52 0.1KB/s 00:00 xttprep.tmpl
