> CentOS > CentOS故障 >

ssh 连接centos服务器很慢的解决办法

现象:

在局域网内,能ping通目标机器,并且时延是微秒级。

用ssh连局域网内其他linux机器,会等待10-30秒才有提示输入密码。严重影响工作效率。

[oracle@service1 ~]$ ping 192.168.1.228
PING 192.168.1.228 (192.168.1.228) 56(84) bytes of data.
64 bytes from 192.168.1.228: icmp_seq=1 ttl=64 time=0.280 ms
64 bytes from 192.168.1.228: icmp_seq=2 ttl=64 time=0.196 ms
64 bytes from 192.168.1.228: icmp_seq=3 ttl=64 time=0.326 ms
^C
--- 192.168.1.228 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2986ms

rtt min/avg/max/mdev = 0.196/0.267/0.326/0.055 ms

复制时:

[oracle@service1 ~]$ scp -rp /home/oracle/xtt2/ 192.168.1.228:/home/oracle/
oracle@192.168.1.228's password:
Connection closed by 192.168.1.228
lost connection

调试信息:

[oracle@service1 ~]$ ssh -v 192.168.1.228
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.228 [192.168.1.228] port 22.
debug1: Connection established.
debug1: identity file /home/oracle/.ssh/identity type -1
debug1: identity file /home/oracle/.ssh/identity-cert type -1
debug1: identity file /home/oracle/.ssh/id_rsa type -1
debug1: identity file /home/oracle/.ssh/id_rsa-cert type -1
debug1: identity file /home/oracle/.ssh/id_dsa type -1
debug1: identity file /home/oracle/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.1.228' is known and matches the RSA host key.
debug1: Found key in /home/oracle/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information

debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Next authentication method: publickey
debug1: Trying private key: /home/oracle/.ssh/identity
debug1: Trying private key: /home/oracle/.ssh/id_rsa
debug1: Trying private key: /home/oracle/.ssh/id_dsa
debug1: Next authentication method: password
oracle@192.168.1.228's password:

Connection closed by 192.168.1.228

有效的解决办法:

1. 修改目标机:

[root@service2 ~]# vi /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.228   service2

192.168.1.117   service1

2.修改本机: GSSAPIAuthentication yes →GSSAPIAuthentication no

GSSAPI ( Generic Security Services Application Programming Interface) 是一套类似Kerberos 5 的通用网络安全系统接口。该接口是对各种不同的客户端服务器安全机制的封装,以消除安全接口的不同,降低编程难度。但该接口在目标机器无域名解析时会有问题。我看到有人给ubuntu提交了相关bug, 说要将GSSAPIAuthentication的缺省值设为no,不知为何,ubuntu9.10的缺省值还是yes。

[root@service1 ~]# vi /etc/ssh/ssh_config

#       $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#    GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no

#   CheckHostIP yes

#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS

再复制时:

[oracle@service1 ~]$ scp -rp /home/oracle/xtt2/ 192.168.1.228:/home/oracle/
oracle@192.168.1.228's password:
rman-xttconvert_2.0.zip                                                                                                                         100%   26KB  26.3KB/s   00:00
xttcnvrtbkupdest.sql                                                                                                                            100% 1390     1.4KB/s   00:00
xttdriver.pl                                                                                                                                    100%   90KB  89.6KB/s   00:00
xttdbopen.sql                                                                                                                                   100%   71     0.1KB/s   00:00
xtt.properties                                                                                                                                  100%  251     0.3KB/s   00:00
xttstartupnomount.sql                                                                                                                           100%   52     0.1KB/s   00:00
xttprep.tmpl

(责任编辑:IT)