1、首先用ssh调试一下sshd服务,会输出一下信息:

[root@fnw ~]# ssh -v root@192.168.1.131

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 56: Applying options for *

debug1: Connecting to 192.168.1.131 [192.168.1.131] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: SELinux support enabled

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: identity file /root/.ssh/id_ecdsa type -1

debug1: identity file /root/.ssh/id_ecdsa-cert type -1

debug1: identity file /root/.ssh/id_ed25519 type -1

debug1: identity file /root/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1

debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none

debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none

debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16

debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA 14:ec:5c:f5:36:8b:30:f1:9d:50:4c:41:01:f2:ef:5a

The authenticity of host '192.168.1.131 (192.168.1.131)' can't be established.

ECDSA key fingerprint is 14:ec:5c:f5:36:8b:30:f1:9d:50:4c:41:01:f2:ef:5a.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.1.131' (ECDSA) to the list of known hosts.

debug1: ssh_ecdsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Next authentication method: gssapi-keyex

debug1: No valid Key exchange context

debug1: Next authentication method: gssapi-with-mic

debug1: Unspecified GSS failure.  Minor code may provide more information

No Kerberos credentials available


debug1: Unspecified GSS failure.  Minor code may provide more information

No Kerberos credentials available


debug1: Unspecified GSS failure.  Minor code may provide more information



debug1: Unspecified GSS failure.  Minor code may provide more information

No Kerberos credentials available


debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Trying private key: /root/.ssh/id_ecdsa

debug1: Trying private key: /root/.ssh/id_ed25519

debug1: Next authentication method: password

root@192.168.1.131's password: 

debug1: Authentication succeeded (password).

Authenticated to 192.168.1.131 ([192.168.1.131]:22).

debug1: channel 0: new [client-session]

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Last login: Fri Apr  1 09:13:02 2016 from 192.168.1.197


修改sshd的配置文件/etc/ssh/sshd_config把UseDNS 设置成no,把 GSSAPIAuthentication 设置成no

[root@bogon ~]# egrep -i 'UseDNS|GSSAPIAuthentication' /etc/ssh/sshd_config 

GSSAPIAuthentication no

UseDNS no


以下是修改完sshd配置文件后调试输出的结果,是不是少了许多信息呀:

[root@fnw ~]# ssh -v root@192.168.1.131

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 56: Applying options for *

debug1: Connecting to 192.168.1.131 [192.168.1.131] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: identity file /root/.ssh/id_ecdsa type -1

debug1: identity file /root/.ssh/id_ecdsa-cert type -1

debug1: identity file /root/.ssh/id_ed25519 type -1

debug1: identity file /root/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1

debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none

debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none

debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16

debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA 14:ec:5c:f5:36:8b:30:f1:9d:50:4c:41:01:f2:ef:5a

debug1: Host '192.168.1.131' is known and matches the ECDSA host key.

debug1: Found key in /root/.ssh/known_hosts:1

debug1: ssh_ecdsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Trying private key: /root/.ssh/id_ecdsa

debug1: Trying private key: /root/.ssh/id_ed25519

debug1: Next authentication method: password

root@192.168.1.131's password: 

debug1: Authentication succeeded (password).

Authenticated to 192.168.1.131 ([192.168.1.131]:22).

debug1: channel 0: new [client-session]

debug1: Requesting no-more-sessions@openssh.com



以下是UseDNS和GSSAPIAuthentication这两个选项的简单说明:

UseDNS no

OpenSSH在用户登录的时候会验证IP,它根据用户的IP使用反向DNS找到主机名,再使用DNS找到IP地址,最后匹配一下登录的IP是否合法。如果客户机的IP没有域名,或者DNS服务器很慢或不通,那么登录就会很花时间。

GSSAPIAuthentication no

可以使用ssh -o GSSAPIAuthentication=no user@server登录

GSSAPI ( Generic Security Services Application Programming Interface) 是一套类似Kerberos 5的通用网络安全系统接口。该接口是对各种不同的客户端服务器安全机制的封装,以消除安全接口的不同,降低编程难度。但该接口在目标机器无域名解析时会有问题,使用strace查看后发现,ssh在验证完key之后,进行authentication gssapi-with-mic,此时先去连接DNS服务器,在这之后会进行其他操作。