现象:
在局域网内,能ping通目标机器,并且时延是微秒级。
用ssh连局域网内其他linux机器,会等待10-30秒才有提示输入密码。严重影响工作效率。
[oracle@service1 ~]$ ping 192.168.1.228
PING 192.168.1.228 (192.168.1.228) 56(84) bytes of data.
64 bytes from 192.168.1.228: icmp_seq=1 ttl=64 time=0.280 ms
64 bytes from 192.168.1.228: icmp_seq=2 ttl=64 time=0.196 ms
64 bytes from 192.168.1.228: icmp_seq=3 ttl=64 time=0.326 ms
^C
--- 192.168.1.228 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2986ms
rtt min/avg/max/mdev = 0.196/0.267/0.326/0.055 ms
复制时:
[oracle@service1 ~]$ scp -rp /home/oracle/xtt2/ 192.168.1.228:/home/oracle/
oracle@192.168.1.228's password:
Connection closed by 192.168.1.228
lost connection
调试信息:
[oracle@service1 ~]$ ssh -v 192.168.1.228
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.228 [192.168.1.228] port 22.
debug1: Connection established.
debug1: identity file /home/oracle/.ssh/identity type -1
debug1: identity file /home/oracle/.ssh/identity-cert type -1
debug1: identity file /home/oracle/.ssh/id_rsa type -1
debug1: identity file /home/oracle/.ssh/id_rsa-cert type -1
debug1: identity file /home/oracle/.ssh/id_dsa type -1
debug1: identity file /home/oracle/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.1.228' is known and matches the RSA host key.
debug1: Found key in /home/oracle/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Next authentication method: publickey
debug1: Trying private key: /home/oracle/.ssh/identity
debug1: Trying private key: /home/oracle/.ssh/id_rsa
debug1: Trying private key: /home/oracle/.ssh/id_dsa
debug1: Next authentication method: password
oracle@192.168.1.228's password:
Connection closed by 192.168.1.228
有效的解决办法:
1. 修改目标机:
[root@service2 ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.228 service2
192.168.1.117 service1
2.修改本机: GSSAPIAuthentication yes →GSSAPIAuthentication no
GSSAPI ( Generic Security Services Application Programming Interface) 是一套类似Kerberos 5 的通用网络安全系统接口。该接口是对各种不同的客户端服务器安全机制的封装,以消除安全接口的不同,降低编程难度。但该接口在目标机器无域名解析时会有问题。我看到有人给ubuntu提交了相关bug, 说要将GSSAPIAuthentication的缺省值设为no,不知为何,ubuntu9.10的缺省值还是yes。
[root@service1 ~]# vi /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
再复制时:
[oracle@service1 ~]$ scp -rp /home/oracle/xtt2/ 192.168.1.228:/home/oracle/
oracle@192.168.1.228's password:
rman-xttconvert_2.0.zip 100% 26KB 26.3KB/s 00:00
xttcnvrtbkupdest.sql 100% 1390 1.4KB/s 00:00
xttdriver.pl 100% 90KB 89.6KB/s 00:00
xttdbopen.sql 100% 71 0.1KB/s 00:00
xtt.properties 100% 251 0.3KB/s 00:00
xttstartupnomount.sql 100% 52 0.1KB/s 00:00
xttprep.tmpl
