How to solve the problem of slow login in Linux SSH 02/25 Update SLTechnology News&Howtos

How to solve the problem of slow login in Linux SSH

2025-02-25 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to solve the problem of slow Linux SSH login". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn how to solve the problem of slow Linux SSH login.

Using a ssh client (such as putty) to connect to the Linux server may wait 10-30 seconds before you are prompted for a password. Seriously affect work efficiency. There are two possible reasons for slow login and normal login speed:

1. DNS reverse parsing problem

OpenSSH verifies IP when the user logs in. It uses reverse DNS to find the hostname based on the user's IP, then uses DNS to find the IP address, and finally matches whether the logged-in IP is legal. If the client's IP does not have a domain name, or if the DNS server is slow or unavailable, then logging in can be time-consuming.

Solution:

Modify the sshd server-side configuration on the target server and restart sshd

The code is as follows:

Vi / etc/ssh/sshd_config

UseDNS no

two。 Turn off gssapi authentication for ssh

With ssh-v user@server, you can see the following information when logging in:

The code is as follows:

Debug1: Next authentication method: gssapi-with-mic

Debug1: Unspecified GSS failure. Minor code may provide more information

Note: ssh-vvv user@server can see more detailed debug information.

Solution:

Modify sshd server-side configuration

The code is as follows:

Vi / etc/ssh/ssh_config

GSSAPIAuthentication no

You can log in using ssh-o GSSAPIAuthentication=no user@server

GSSAPI (Generic Security Services Application Programming Interface) is a set of general network security system interface similar to Kerberos 5. The interface encapsulates a variety of different client-server security mechanisms to eliminate the differences in security interfaces and reduce the difficulty of programming. However, there will be problems with this interface when there is no domain name resolution on the target machine.

After checking with strace, it is found that ssh performs authentication gssapi-with-mic after verifying key. At this time, connect to the DNS server first, and other operations will be carried out after that.

The code is as follows:

[root@192-168-3-40] # ssh-vvv root@192.168.3.44

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Debug1: Reading configuration data / etc/ssh/ssh_config

Debug1: Applying options for *

Debug2: ssh_connect: needpriv 0

Debug1: Connecting to 192.168.3.44 [192.168.3.44] port 22.

Debug1: Connection established.

Debug1: permanently_set_uid: 0/0

Debug1: identity file / root/.ssh/identity type-1

Debug1: identity file / root/.ssh/identity-cert type-1

Debug1: identity file / root/.ssh/id_rsa type-1

Debug1: identity file / root/.ssh/id_rsa-cert type-1

Debug1: identity file / root/.ssh/id_dsa type-1

Debug1: identity file / root/.ssh/id_dsa-cert type-1

Debug1: identity file / root/.ssh/id_ecdsa type-1

Debug1: identity file / root/.ssh/id_ecdsa-cert type-1

Debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

Debug1: match: OpenSSH_5.3 pat OpenSSH*

Debug1: Enabling compatibility mode for protocol 2.0

Debug1: Local version string SSH-2.0-OpenSSH_5.3

Debug2: fd 3 setting O_NONBLOCK

Debug1: SSH2_MSG_KEXINIT sent

Debug3: Wrote 960 bytes for a total of 981

Debug1: SSH2_MSG_KEXINIT received

Debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss

Debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

Debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256 memorials HmacMurray Sha2-512, Hmacripemd160, openssh.com, Hmaclysha1-96, HmacMuir Md5-96

Debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

Debug2: kex_parse_kexinit:

Debug2: kex_parse_kexinit: first_kex_follows 0

Debug2: kex_parse_kexinit: reserved 0

Debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

Debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

Debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256 memorials HmacMurray Sha2-512, Hmacripemd160, openssh.com, Hmaclysha1-96, HmacMuir Md5-96

Debug2: kex_parse_kexinit: none,zlib@openssh.com

Debug2: kex_parse_kexinit:

Debug2: kex_parse_kexinit: first_kex_follows 0

Debug2: kex_parse_kexinit: reserved 0

Debug2: mac_setup: found hmac-md5

Debug1: kex: server- > client aes128-ctr hmac-md5 none

Debug2: mac_setup: found hmac-md5

Debug1: kex: client- > server aes128-ctr hmac-md5 none

Debug1: SSH2_MSG_KEX_DH_GEX_REQUEST (1024

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.