解决SSH比较慢的问题

发表于 分类于

本文主要介绍如何优化ssh连接速度的问题。
总结:
a,修改服务器的sshd_config

1
2
GSSAPIAuthentication no
UseDNS no

b,增加熵
c,检查systemd-logind服务

1,GSSAPI的问题

1.1 查看日志

1
ssh -v root@myip

-v会输出连接的过程,我这边的示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
OpenSSH_7.9p1 Debian-10+deb10u1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /home/thomas/.ssh/config
debug1: /home/thomas/.ssh/config line 78: Applying options for 192.168.1.11
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.11 [192.168.1.11] port 22.
debug1: Connection established.
debug1: identity file /home/thomas/.ssh/key1 type 0
debug1: identity file /home/thomas/.ssh/key1-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.1.11:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:El+88pgfhRh9BnF2ReA+LY0PZdgy21L+YUsJoZtADwk
debug1: Host '192.168.1.11' is known and matches the ECDSA host key.
debug1: Found key in /home/thomas/.ssh/known_hosts:14
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /home/thomas/.ssh/key1 RSA SHA256:AsMxJh6bA76AOeVZxvL+cto3mwdO8c1M3qo5dZFnWDY explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received

#看这里总共提到4种个方法,但是其实顺序是:gssapi-keyex->gssapi-with-mic->publickey->password
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

# 我是在这里卡了一会
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

1.2 解决-链接时不使用

在你链接时,主动绕过GSSAPI

1
ssh -o GSSAPIAuthentication=no root@myip

1.3 解决-服务端关闭

你需要在你的本机执行如下设置

1
vim /etc/ssh/sshd_config

找到GSSAPIAuthentication 设置为No,同时,主动设置UseDNS no

然后重启ssh服务即可

1
sudo systemctl restart sshd

1.4 什么是GSSAPI

此处参考

  1. GSSAPI:Generic Security Services Application Program Interface,GSSAPI本身是一套API,由IETF标准化。其最主要也是著名的实现是基于Kerberos的。一般说到GSSAPI都暗指Kerberos实现。

  2. UseDNS:是OpenSSH服务器上的一个DNS查找选项,而且默认还是打开的,在打开的状态下,每当客户端尝试连接OpenSSH服务器的时候,服务端就自动根据用户客户端的IP进行DNS PTR反向查询(IP反向解析才会有记录),查询出IP对应的Hostname,之后在根据客户端的Hostname进行DNS正向A记录查询。通过这个查询,验证IP是否和连接的客户端IP一致。但绝大部分我们的机器是动态获取IP的,也就是说,这个选项对于这种情况根本就没用——即使是普通静态IP服务器,只要没有做IP反向解析,也难以适用。如果你符合这些情况,建议关闭UseDNS以提高SSH远程登录时候的认证速度。

2,logind服务挂了

如果是卡在了这里

1
2
3
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.

那说明是systemd-logind服务挂了,可以systemctl status systemd-logind查看状态,或者直接重启这个服务:

1
systemctl restart systemd-logind

4,熵值过低的问题

ssh会用到各种加密算法,现在的各类加密工具对于随机数有很高的要求。
Linux的随机数生成器分为硬件生成器和软件生成器,硬件生成器会收集硬件设备的各种数据,相对难以预测;而软件生成器则会生成的比较慢。
当前由于大量的云服务器都是运行在虚拟机之上,硬件的变动难以收集,非常的‘安静‘,所以随机数的生成主要依赖软件。
通过如下命令查看当前的熵池:

1
cat /proc/sys/kernel/random/entropy_avail

一般都是在3000以上,如果你的没有达到这个值,可以通过一些常用的补充工具如rng-tools来生成。

1
2
3
sudo dnf install -y rng-tools
sudo systemctl start rngd
sudo systemctl enable rngd

再次查看熵值,基本熵都会大于3000了

5,内部dns问题

可能会卡在这里:

1
2
3
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received

修改sshd配置文件,添加或者修改UseDNS no