原文:http://injustfiveminutes.com/2013/03/13/fixing-ssh-login-long-delay/

For a long time I had a problem with ssh login on a Redhat 6 server – it was taking too long to connect to it, around 30 seconds. Normally it hasn’t been a big issue – after all, you connect once and work for all day as long as you enable server keepalive packetsto avoid session timeout.

However when it comes to work with SFTP o GIT it might become annoying. Everytime you sFTP upload or  git push you have to wait 30 seconds again.

This kind of problems are often related to DNS issues but this is not always the case. Following are the most common solutions:

1. Disable reverse IP resolution on SSH server

It turns out there is a setting in OpenSSH that controls whether SSHd should not only resolve remote host names but also check whether the resolved host names map back to remote IPs. Apparently, that setting is enabled by default in OpenSSH. The directiveUseDNS controls this particular behaviour of OpenSSH, and while it is commented in sshd_config (which is the default configuration file for the OpenSSH daemon in most enviornments), as per the man page for sshd_config, the default for UseDNS is set to enabled. Add the following line:

UseDNS no

2. DNS resolver fix for IPv4/IPv6 enabled stacks

It’s a known issue on the Red Hat knowledgebase article DOC-58626, but since it’s closed without login, I’ll share the solution below:

The resolver uses the same socket for the A and AAAA requests. Some hardware mistakenly only sends back one reply. When that happens the client sytem will sit and wait for the second reply. Turning this option on changes this behavior so that if two requests from the same port are not handled correctly it will close the socket and open a new one before sending the second request.

The solution is to add the following line to your /etc/resolv.conf. Just add it all the way at the bottom, as the last line.

options single-request-reopen

3. Disable GSSAPI authentication method

OpenSSH server enables by default theGSSAPI key exchange which allows you to leverage an existing key management infrastructure such as Kerberos or GSI, instead of having to distribute ssh host keys throughout your organisation. With GSSAPI key exchange servers do not need ssh host keys when being accessed by clients with valid credentials.

If you are not using GSSAPI as a authentication mecanism, it might be causing this connection delay.

In my particular case, I ran ssh -v myserver to find out that it was hanging whilst attempting to authenticate with GSSAPI, with the slow section looking like:

....

....

debug2: key: /home/user/.ssh/id_rsa (0xb961d7a8)

debug2: key: /home/user/.ssh/id_dsa ((nil))

debug2: key: /home/user/.ssh/id_ecdsa ((nil))

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_lookup gssapi-keyex

debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_is_enabled gssapi-keyex

debug1: Next authentication method: gssapi-keyex

debug1: No valid Key exchange context

debug2: we did not send a packet, disable method

debug3: authmethod_lookup gssapi-with-mic

debug3: remaining preferred: publickey,keyboard-interactive,password

debug3: authmethod_is_enabled gssapi-with-mic

debug1: Next authentication method: gssapi-with-mic

debug1: Unspecified GSS failure.  Minor code may provide more information

Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure.  Minor code may provide more information

Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure.  Minor code may provide more information

Turned out that it was stalling after trying gssapi-with-mic authentication method. Had several “Unspecified GSS failure” messages with several seconds delay between them, therefore it was definitely the root cause of long delays.

The fix is simple – disable attempts to use GSS-API by adding the following to /etc/sshd_config (server side) or yout ~/.ssh/ssh_config (client side).

GSSAPIAuthentication no

There is an easy way to check beforehand whether this solution will work. Try to ssh into your server by disabling GSSAPI authentication:

ssh -o GSSAPIAuthentication=no user@yourserver

Fixing ssh login long delay的更多相关文章

  1. SSH login without password

    SSH login without password Your aim You want to use Linux and OpenSSH to automize your tasks. Theref ...

  2. Security configuration of SSH login entry - enterprise security practice

    catalog . 引言 . 修改ssh端口 . 禁用root远程ssh登录 . 只使用SSH v2 . 限制用户的SSH访问 . 禁用.rhosts文件 . 禁用基于主机的身份验证 . 基于公私钥的 ...

  3. Passwordless SSH Login

    原文地址:http://manjeetdahiya.com/2011/03/03/passwordless-ssh-login/ Consider two machines A and B. We w ...

  4. ssh login nova vm

    $ sudo cat >> /usr/bin/nova-ssh  << END FIRST=$1 IDX=`expr index $1 "@"`if [[ ...

  5. 3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id

    http://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-s ...

  6. 【转载】SSH login without password 免密登陆

    Your aim You want to use Linux and OpenSSH to automate your tasks. Therefore you need an automatic l ...

  7. putty ssh login linux

    (1) in linux $ ssh-keygen -t dsa $ cd .ssh $ cat id_dsa.pub > authorized_keys $ chmod 600 authori ...

  8. centos7 禁止 root ssh login

    CentOS 7 默认容许任何帐号透过 ssh 登入,包括 root 和一般帐号,为了不让 root 帐号被黑客暴力入侵,我们必须禁止 root 帐号的 ssh 功能,事实上 root 也没有必要 s ...

  9. ssh login waiting too much time

    usually dns error, please check /etc/resolv.conf

随机推荐

  1. Ms SQLServer中的Union和Union All的使用方法和区别

    Ms SQLServer中的Union和Union All的使用方法和区别 SQL UNION 操作符 UNION 操作符用于合并两个或多个 SELECT 语句的结果集. 请注意,UNION 内部的 ...

  2. Java学习--String、StringBuffer与StringBuilder

    String并不是基本数据类型,而是一个对象,并且是不可变的对象.String类为final型的不可被继承,而且通过查看JDK文档会发现几乎每一个修改String对象的操作,实际上都是创建了一个全新的 ...

  3. python 图片上添加数字源代码

    最近因工作需要,需要在图片上添加数字,查询了资料,自己写了一个方法,并进行了测试,由于代码用到了PIL库,需要下载安装,下载地址:http://www.pythonware.com/products/ ...

  4. JavaScript 找出数组中重复的元素

    实现检测数组重复元素的功能,需要注意一点的是,多个(2个或2个以上)重复元素,我们只需要挑出一个来就可以了. <!DOCTYPE html> <html> <head&g ...

  5. django中外键关联表的查询随笔

    django中,如果一个数据库中的表之间有外键的话可以方便的通过一个表查询到其相关表的数据.如有下面三个model:class Blog(models.Model):    name = models ...

  6. Jmeter 使用笔记之 html 报告扩展(一)

    题记:在用 loadrunner 的时候可以生成一个 HTML 的报告,并且里面包含各种图表,各种详细的数据.而在使用 Jmeter 测试完后并不能直接生成 Html 的报告(无论是用 GUI 还是命 ...

  7. ASP.NET MVC 入门2、项目的目录结构与核心的DLL

    我们新建一个ASP.NET MVC的Web Application后,默认的情况下,项目的目录结构如下: App_Data :这个目录跟我们一般的ASP.NET website是一样的,用于存放数据. ...

  8. Hausdorff距离

    Hausdorff距离是描述两组点集之间相似程度的一种量度,它是两个点集之间距离的一种定义形式:假设有两组集合A={a1,…,ap},B={b1,…,bq},则这两个点集合之间的Hausdorff距离 ...

  9. [jobdu]矩形覆盖

    推导一下,就是斐波那契数列那样的.但是要注意的是,int存不下,算一下需要long long才行,因为是指数级上升的. #include <cstdio> #define LEN 75 # ...

  10. Android include的使用

    如果在程序中多次用到一部分相同的布局,可以先将这部分布局定义为一个单独的XML,然后在需要的地方通过<include>引入,如下: main.xml <?xml version=&q ...