Debugging and handling the problem of jamming for about 30s during SSH login

One 、 Problem description

Intranet ssh When it's a mainframe , Always get stuck 30s You can jump to the remote host around , Other hosts ssh All normal , There is no special difference in the configuration of each host , Next, let's analyze the possible reasons for how to locate the host

ssh With symmetry, you need to encrypt , Use public key (public key)： The act of providing data encryption to a remote host , Everyone can get your public key to encrypt data ; Private key (private key)： The remote host uses your public key to encrypt data , The private key can be used to decrypt on the local side .

Two 、 Analyze and process

1） Command options debugging

-o GSSAPIAuthentication=no or -o strictHostKeyChecking=no Option to proceed ssh Log on to the test .

debug1: SSH2_MSG_SERVICE_ACCEPT received    //ssh Carton appears here , You can find it from below , stay GSS During the certification process , Tried many times , It is best to use key pair 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA

2） modify GSS authentication

vim /etc/ssh/sshd_config   // The notes are as follows 2 That's ok , Verification failed 
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

3） Verify the discovery again after restart , There is still a jam , The Caton points are as follows ：

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received  // Carton still appears here 

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = zh_CN.UTF-8

Compare the log of the normal Login Host , No abnormality was found ; The normal host is used immediately GSS There is no jam in the certification , The only difference is that the Caton host uses something else ssh port ; contrast /etc/pam.d/sshd It's the same , No similarities and differences are found ;

4） close DNS analysis , edit /etc/ssh/sshd_config , modify UseDNS no, The test verification login is no longer stuck . That is, on-site verification ：ssh Default on DNS Analytic , Even if it is not configured as yes;

5） It has been tested and verified that , Turn on GSS Certification does not lead to this ssh Reason for logging in to Caton ,UseDNS Options are the main direct reason for this ; But other normal hosts are not turned on or running ssh Sign in , The difference between the affected host and other normal hosts is that the host name has been modified , Not by default localhost 了 , however ping The test still shows normal .

notes ：UseDNS Characteristic is SSH Security enhancement features of services , The default is on . After opening , The server will start with the client IP Conduct DNS PTR Reverse query , Get the client hostname . Then according to the obtained client hostname DNS positive A Record query , Finally, the comparison results IP With primordial IP Is it consistent , To prevent client spoofing . Especially enable GSSAPI After certification , It needs the help of domain name for identity authentication .