【浅层优化实战】ssh远程登录Linux卡慢的全过程排查及解决方案

ssh远程登录Linux卡慢的全过程排查及解决方案

前言：

　　在linux操作系统使用过程中偶然一次感到使用ssh远程连接软件连接操作系统需要等待许久，第一次没在意，第二次也没在意，第三次有点忍受不住了，就抽时间想解决掉这个问题，顺便写下这篇博文已帮助更多的人解决次烦恼。

　　ssh慢普遍原因是因为DNS解析导致，如果还不行那就查看ssh远程登录的全过程。那么，实战正式开始~

测试环境：

CentOS 6.7 2.6.32-573.el6.x86_64

更改ssh配置文件设置禁用DNS解析：

1、在ssh服务端上更改/etc/ssh/sshd_config文件中的配置为如下内容：

UseDNS no

 

然后，保存并退出，执行/etc/init.d/sshd restart重启sshd进程使上述配置生效，在连接应该就不慢了。如果再慢就要使用如下排除过程。

排查过程：

　　首先用到的命令就是：ssh -v 相信大家对此并不陌生，工欲善其事必先利其器，现在有了，那就可以开始浪了~

[root@6 ~]# ssh -v root@192.168.222.129
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.222.129 [192.168.222.129] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host '192.168.222.129 (192.168.222.129)' can't be established.
RSA key fingerprint is 83:bf:ab:33:07:86:11:d4:33:56:ab:a7:34:77:d3:f9.
Are you sure you want to continue connecting (yes/no)? y  #此处手残，顺手打了个“y” 正确的在下面 - -、
Please type 'yes' or 'no': yes  我是正确的 ☺ 
Warning: Permanently added '192.168.222.129' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received


那么重点来了。当执行到此环节的是出现了卡顿的现象，博主机智的敲了几下回车与其隔开方便后来查看~

                           

　　　　好吧言归正传...


debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password　　#此处提示认证可以继续。but......下面似乎没有那么顺利
debug1: Next authentication method: gssapi-keyex　　　　　　　　　#下一步验证方法：GSSAPI-keyex~
debug1: No valid Key exchange context　　　　　　　　　　　　　　　 #好吧，似乎也死掉了。。提示木有有效的密钥交换环境，也就是说
debug1: Next authentication method: gssapi-with-mic             #可以看出此处系统不死心。。又使用下一个验证方法：gssapi-with-mic，但是以失败告终，那么我们再往后看。

reverse mapping checking getaddrinfo for bogon [192.168.222.129] failed - POSSIBLE BREAK-IN ATTEMPT!
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Next authentication method: publickey　　　　　　　　　　　　　　　　#经过几次挫折，系统放弃了..启用了publickey验证方式
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: password
root@192.168.222.129's password: 

 　　从上面反馈的结果中我们发现，是GSSAPI验证在捣鬼，那我们将其禁用不就好了。。

 解决方法：

首先编辑ssh配置文件：

　　vim /etc/ssh/sshd_config

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes　　　　　　　　#←这一行大约在文档的第81行，我们看到它开启了yes的状态，而GSSAPIAuthentication no被无情的注释掉了。。。我们可以将其放出来，，或者将yes改成no

#GSSAPICleanupCredentials yes 
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes 
#GSSAPIKeyExchange no

 然后保存退出:wq 重启一下ssh服务即可。

 ok这样基本就解决了所有问题~