诊断并解决 SSH 连接慢的方法

每次PuTTY使用SSH登录到远程的Linux进行管理的时候，远程登录的过程都非常慢——输入完用户名之后，非要等到30秒左右才会出来输入密码的提示。在实际处理问题的时候，特别需要快速响应的时候，这种状况着实让人难以忍受。

但后来具体测试了一下，发现这又并非是每种系统的通病，出现问题的机器主要集中的CentOS上，同样的Debian系统，在远程连接的过程就是健步如飞，丝毫没有卡顿犹豫的感觉。这难道是CentOS的问题？

出于好奇，查看了下两个系统在SSH时的差别

CentOS：

1. <span class="pln">ssh </span><span class="pun">-</span><span class="pln">v ssh_test@192</span><span class="pun">.</span><span class="lit">168.128</span><span class="pun">.</span><span class="lit">137</span>

SSH远程登录的时候显示的信息如下：

1. <span class="typ">OpenSSH_6</span><span class="pun">.</span><span class="lit">0p1</span><span class="typ">Debian</span><span class="pun">-</span><span class="lit">4</span><span class="pun">,</span><span class="typ">OpenSSL</span><span class="lit">1.0</span><span class="pun">.</span><span class="lit">1e</span><span class="lit">11</span><span class="typ">Feb</span><span class="lit">2013</span>
2. <span class="pun">...</span><span class="typ">Some</span><span class="pln"> sensitive information</span><span class="pun">...</span>
3. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Remote</span><span class="pln"> protocol version </span><span class="lit">2.0</span><span class="pun">,</span><span class="pln"> remote software version </span><span class="typ">OpenSSH_5</span><span class="pun">.</span><span class="lit">3</span>
4. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> match</span><span class="pun">:</span><span class="typ">OpenSSH_5</span><span class="pun">.</span><span class="lit">3</span><span class="pln"> pat </span><span class="typ">OpenSSH_5</span><span class="pun">*</span>
5. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Enabling</span><span class="pln"> compatibility mode </span><span class="kwd">for</span><span class="pln"> protocol </span><span class="lit">2.0</span>
6. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Local</span><span class="pln"> version </span><span class="kwd">string</span><span class="pln"> SSH</span><span class="pun">-</span><span class="lit">2.0</span><span class="pun">-</span><span class="typ">OpenSSH_6</span><span class="pun">.</span><span class="lit">0p1</span><span class="typ">Debian</span><span class="pun">-</span><span class="lit">4</span>
7. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_KEXINIT sent</span>
8. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_KEXINIT received</span>
9. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> kex</span><span class="pun">:</span><span class="pln"> server</span><span class="pun">-></span><span class="pln">client aes128</span><span class="pun">-</span><span class="pln">ctr hmac</span><span class="pun">-</span><span class="pln">md5 none</span>
10. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> kex</span><span class="pun">:</span><span class="pln"> client</span><span class="pun">-></span><span class="pln">server aes128</span><span class="pun">-</span><span class="pln">ctr hmac</span><span class="pun">-</span><span class="pln">md5 none</span>
11. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_KEX_DH_GEX_REQUEST</span><span class="pun">(</span><span class="lit">1024</span><span class="pun"><</span><span class="lit">1024</span><span class="pun"><</span><span class="lit">8192</span><span class="pun">)</span><span class="pln"> sent</span>
12. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> expecting SSH2_MSG_KEX_DH_GEX_GROUP</span>
13. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_KEX_DH_GEX_INIT sent</span>
14. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> expecting SSH2_MSG_KEX_DH_GEX_REPLY</span>
15. <span class="pun">...</span><span class="typ">Some</span><span class="pln"> sensitive information</span><span class="pun">...</span>
16. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> ssh_rsa_verify</span><span class="pun">:</span><span class="pln"> signature correct</span>
17. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_NEWKEYS sent</span>
18. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> expecting SSH2_MSG_NEWKEYS</span>
19. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_NEWKEYS received</span>
20. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Roaming</span><span class="kwd">not</span><span class="pln"> allowed </span><span class="kwd">by</span><span class="pln"> server</span>
21. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_SERVICE_REQUEST sent</span>
22. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_SERVICE_ACCEPT received</span>
23. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Authentications</span><span class="pln"> that can </span><span class="kwd">continue</span><span class="pun">:</span><span class="pln"> publickey</span><span class="pun">,</span><span class="pln">gssapi</span><span class="pun">-</span><span class="pln">keyex</span><span class="pun">,</span><span class="pln">gssapi</span><span class="pun">-</span><span class="kwd">with</span><span class="pun">-</span><span class="pln">mic</span><span class="pun">,</span><span class="pln">password</span>
24. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> gssapi</span><span class="pun">-</span><span class="pln">keyex</span>
25. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">No</span><span class="pln"> valid </span><span class="typ">Key</span><span class="pln"> exchange context</span>
26. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> gssapi</span><span class="pun">-</span><span class="kwd">with</span><span class="pun">-</span><span class="pln">mic</span>
27. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
28. <span class="typ">Cannot</span><span class="pln"> determine realm </span><span class="kwd">for</span><span class="pln"> numeric host address</span>
29. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
30. <span class="typ">Cannot</span><span class="pln"> determine realm </span><span class="kwd">for</span><span class="pln"> numeric host address</span>
31. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
32. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
33. <span class="typ">Cannot</span><span class="pln"> determine realm </span><span class="kwd">for</span><span class="pln"> numeric host address</span>
34. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> publickey</span>
35. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Trying</span><span class="kwd">private</span><span class="pln"> key</span><span class="pun">:</span><span class="str">/home/</span><span class="pln">mitchellchu</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span>
36. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Trying</span><span class="kwd">private</span><span class="pln"> key</span><span class="pun">:</span><span class="str">/home/</span><span class="pln">mitchellchu</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_dsa</span>
37. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Trying</span><span class="kwd">private</span><span class="pln"> key</span><span class="pun">:</span><span class="str">/home/</span><span class="pln">mitchellchu</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ecdsa</span>
38. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> password</span>

而Debian使用同样的命令测试的结果为：

1. <span class="typ">OpenSSH_6</span><span class="pun">.</span><span class="lit">0p1</span><span class="typ">Debian</span><span class="pun">-</span><span class="lit">4</span><span class="pun">,</span><span class="typ">OpenSSL</span><span class="lit">1.0</span><span class="pun">.</span><span class="lit">1e</span><span class="lit">11</span><span class="typ">Feb</span><span class="lit">2013</span>
2. <span class="pun">...</span><span class="typ">Some</span><span class="pln"> sensitive information</span><span class="pun">...</span>
3. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Remote</span><span class="pln"> protocol version </span><span class="lit">2.0</span><span class="pun">,</span><span class="pln"> remote software version </span><span class="typ">OpenSSH_6</span><span class="pun">.</span><span class="lit">0p1</span><span class="typ">Debian</span><span class="pun">-</span><span class="lit">4</span>
4. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> match</span><span class="pun">:</span><span class="typ">OpenSSH_6</span><span class="pun">.</span><span class="lit">0p1</span><span class="typ">Debian</span><span class="pun">-</span><span class="lit">4</span><span class="pln"> pat </span><span class="typ">OpenSSH</span><span class="pun">*</span>
5. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Enabling</span><span class="pln"> compatibility mode </span><span class="kwd">for</span><span class="pln"> protocol </span><span class="lit">2.0</span>
6. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Local</span><span class="pln"> version </span><span class="kwd">string</span><span class="pln"> SSH</span><span class="pun">-</span><span class="lit">2.0</span><span class="pun">-</span><span class="typ">OpenSSH_6</span><span class="pun">.</span><span class="lit">0p1</span><span class="typ">Debian</span><span class="pun">-</span><span class="lit">4</span>
7. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_KEXINIT sent</span>
8. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_KEXINIT received</span>
9. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> kex</span><span class="pun">:</span><span class="pln"> server</span><span class="pun">-></span><span class="pln">client aes128</span><span class="pun">-</span><span class="pln">ctr hmac</span><span class="pun">-</span><span class="pln">md5 none</span>
10. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> kex</span><span class="pun">:</span><span class="pln"> client</span><span class="pun">-></span><span class="pln">server aes128</span><span class="pun">-</span><span class="pln">ctr hmac</span><span class="pun">-</span><span class="pln">md5 none</span>
11. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> sending SSH2_MSG_KEX_ECDH_INIT</span>
12. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> expecting SSH2_MSG_KEX_ECDH_REPLY</span>
13. <span class="pun">...</span><span class="typ">Some</span><span class="pln"> sensitive information</span><span class="pun">...</span>
14. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> ssh_ecdsa_verify</span><span class="pun">:</span><span class="pln"> signature correct</span>
15. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_NEWKEYS sent</span>
16. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> expecting SSH2_MSG_NEWKEYS</span>
17. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_NEWKEYS received</span>
18. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Roaming</span><span class="kwd">not</span><span class="pln"> allowed </span><span class="kwd">by</span><span class="pln"> server</span>
19. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_SERVICE_REQUEST sent</span>
20. <span class="pln">debug1</span><span class="pun">:</span><span class="pln"> SSH2_MSG_SERVICE_ACCEPT received</span>
21. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Authentications</span><span class="pln"> that can </span><span class="kwd">continue</span><span class="pun">:</span><span class="pln"> publickey</span><span class="pun">,</span><span class="pln">password</span>
22. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> publickey</span>
23. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Trying</span><span class="kwd">private</span><span class="pln"> key</span><span class="pun">:</span><span class="str">/home/</span><span class="pln">mitchellchu</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span>
24. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Trying</span><span class="kwd">private</span><span class="pln"> key</span><span class="pun">:</span><span class="str">/home/</span><span class="pln">mitchellchu</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_dsa</span>
25. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Trying</span><span class="kwd">private</span><span class="pln"> key</span><span class="pun">:</span><span class="str">/home/</span><span class="pln">mitchellchu</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ecdsa</span>
26. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> password</span>

从上面可以看到，在CentOS中，系统使用了publickey，gssapi-keyex，gssapi-with-mic，和password来进行认证（上面颜色标记行，23行），而Debian此时则使用了Publickey和password两种。在连接CentOS的时候，在23行处花费了相当多的时间。我们在那里开始往下看，就能非常清楚的看到下面的信息：

1. <span class="com">#下面使用的是GSSAPI-KEYEX来进行验证</span>
2. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> gssapi</span><span class="pun">-</span><span class="pln">keyex</span>
3. <span class="com">#但是报错：没有可用的Key来交换信息</span>
4. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">No</span><span class="pln"> valid </span><span class="typ">Key</span><span class="pln"> exchange context</span>
5. <span class="com">#系统接着又使用下一个验证方法：GSSAPI-WITH-MIC</span>
6. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> gssapi</span><span class="pun">-</span><span class="kwd">with</span><span class="pun">-</span><span class="pln">mic</span>
7. <span class="com">#但遗憾的是，GSSAPI-WITH-MIC方法也失败。</span>
8. <span class="com">#原因：不能确定数字主机地址的域</span>
9. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
10. <span class="typ">Cannot</span><span class="pln"> determine realm </span><span class="kwd">for</span><span class="pln"> numeric host address</span>
11. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
12. <span class="typ">Cannot</span><span class="pln"> determine realm </span><span class="kwd">for</span><span class="pln"> numeric host address</span>
13. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
14. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
15. <span class="typ">Cannot</span><span class="pln"> determine realm </span><span class="kwd">for</span><span class="pln"> numeric host address</span>
16. <span class="com"># 在尝试几次后，SSH认证终于放弃了这种验证。进入下一个验证：Publickey</span>
17. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> publickey</span>

除了这个方法还有其他方法么？这个自然是有的，CentOS其实就已经提供给我们一个解决方案了——使用ssh远程登录的时候禁用GSSAPI验证。当然，还有一个问题不得不注意，如果你的机器上启用了UseDNS的话，需要一并关闭，具体可参见最后的说明。

从错误可以看出应该是和主机域相关的问题——应该是无法确认IP对应的域，因此会出现这个问题。GSSAPI主要是基于Kerberos的，因此要解决这个问题也就变得要系统配置有Kerberos，这对于没有Kerberos的筒子们来说，配置个Kerberos就为了解决个登录延时问题，似乎不是个明智的决定——特别是在生产环境中！最小化满足需求才是王道。

下面先放出处理GSSAPI的方法

禁用GSSAPI认证有两个方式：客户端和服务端

1. 客户端禁用

比较简单，影响的只有单个客户端用户，可以用下面的方法实现：

1. <span class="pln">ssh </span><span class="pun">-</span><span class="pln">o </span><span class="typ">GSSAPIAuthentication</span><span class="pun">=</span><span class="kwd">no</span><span class="pln"> your</span><span class="pun">-</span><span class="pln">server</span><span class="pun">-</span><span class="pln">username@serverIP</span>

用上面的方法登录远程，即可实现禁用GSSAPIAuthentication。

如果你嫌麻烦，直接配置你ssh客户端的文件/etc/ssh/ssh_config来达到永久解决这个问题：

1. <span class="pln">vi </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">ssh_config</span>
2. <span class="com">### 找到ssh_config文件里面的GSSAPIAuthentication yes这行</span>
3. <span class="com">### 修改为GSSAPIAuthentication no</span>
4. <span class="com">### 保存ssh_config文件并退出</span>

这个修改方法是将所有这个机器上的用户都影响到了，如果你影响面不要那么的广泛，只要在指定的用户上实施禁用GSSAPIAuthentication的话，那么你可以在该用户的目录下，找到.ssh目录，在其下面添加config文件，并在文件内添加上面这句，如果没有这个文件，你也可以直接这么做：

1. <span class="pln">cat </span><span class="pun">>>~</span><span class="str">/.ssh/</span><span class="pln">config</span><span class="pun"><<</span><span class="pln">EOF</span>
2. <span class="typ">GSSAPIAuthentication</span><span class="kwd">no</span>
3. <span class="pln">EOF</span>

使用cat，直接将输入导出到文件中，这时候，你在使用ssh连接远程的目标主机时，就不会再使用GSSAPI认证了。

上面这些文件是在客户端，不是服务端的。也就是说，要修改这个文件，你的客户端也要是Linux才行。

如果你是在Windows下使用PuTTY这样的客户端工具，就不使用上面这个方法了，PuTTY下可以尝试在连接之前进行设置：

PuTTY Configuration -> Connection -> SSH -> Auth -> GSSAPI -> (取消勾选)Attempt GSSAPI authentication(SSH-2 only)

如果没有关闭PuTTY的GSSAPIAuthentication，你可以在连接的窗口右键（或：Ctrl + 右键）查看日志，可以发现PuTTY会自动尝试GSSAPI连接的日志：

1. <span class="lit">2014</span><span class="pun">-</span><span class="lit">05</span><span class="pun">-</span><span class="lit">18</span><span class="lit">23</span><span class="pun">:</span><span class="lit">46</span><span class="pun">:</span><span class="lit">54</span><span class="typ">Using</span><span class="pln"> SSPI </span><span class="kwd">from</span><span class="pln"> SECUR32</span><span class="pun">.</span><span class="pln">DLL</span>
2. <span class="lit">2014</span><span class="pun">-</span><span class="lit">05</span><span class="pun">-</span><span class="lit">18</span><span class="lit">23</span><span class="pun">:</span><span class="lit">46</span><span class="pun">:</span><span class="lit">54</span><span class="typ">Attempting</span><span class="pln"> GSSAPI authentication</span>
3. <span class="lit">2014</span><span class="pun">-</span><span class="lit">05</span><span class="pun">-</span><span class="lit">18</span><span class="lit">23</span><span class="pun">:</span><span class="lit">46</span><span class="pun">:</span><span class="lit">54</span><span class="pln"> GSSAPI authentication request refused</span>

恩，上面基本上将客户端禁止GSSAPIAuthentication的方法罗列了一下。

注意：上面这些方法是比较通用的。

2、如果你已经配置了Kerberos的情况下

那么你也可以尝试下如下的客户端解决这个问题的方法：

添加远程主机的主机名到你本机的host文件中（Linux是/etc/hosts，Windows是系统盘:\Windows\System32\drivers\etc\hosts）。Linux和Windows下都可以添加下面这行。

1. <span class="com">### 注意：下面这样的IP-Addr要替换成你的远程机器的IP地址，HostName，自然是主机名</span><br><span class="pln">IP</span><span class="pun">-</span><span class="typ">Addr</span><span class="typ">HostName</span>

添加完毕之后，保存退出。

如果你没有配置Kerberos的话，仅配置这个hosts文件一样是不能解决问题的，在使用ssh登录的时候，你可以看到报错日志会类似下面这样：

1. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Authentications</span><span class="pln"> that can </span><span class="kwd">continue</span><span class="pun">:</span><span class="pln"> publickey</span><span class="pun">,</span><span class="pln">gssapi</span><span class="pun">-</span><span class="pln">keyex</span><span class="pun">,</span><span class="pln">gssapi</span><span class="pun">-</span><span class="kwd">with</span><span class="pun">-</span><span class="pln">mi</span>
2. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> gssapi</span><span class="pun">-</span><span class="pln">keyex</span>
3. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">No</span><span class="pln"> valid </span><span class="typ">Key</span><span class="pln"> exchange context</span>
4. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> gssapi</span><span class="pun">-</span><span class="kwd">with</span><span class="pun">-</span><span class="pln">mic</span>
5. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
6. <span class="typ">Credentials</span><span class="pln"> cache file </span><span class="str">'/tmp/krb5cc_0'</span><span class="kwd">not</span><span class="pln"> found</span>
7. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
8. <span class="typ">Credentials</span><span class="pln"> cache file </span><span class="str">'/tmp/krb5cc_0'</span><span class="kwd">not</span><span class="pln"> found</span>
9. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
10. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Unspecified</span><span class="pln"> GSS failure</span><span class="pun">.</span><span class="typ">Minor</span><span class="pln"> code may provide more information</span>
11. <span class="typ">Credentials</span><span class="pln"> cache file </span><span class="str">'/tmp/krb5cc_0'</span><span class="kwd">not</span><span class="pln"> found</span>
12. <span class="pln">debug1</span><span class="pun">:</span><span class="typ">Next</span><span class="pln"> authentication method</span><span class="pun">:</span><span class="pln"> publickey</span>

这个错误我在刚开始的时候也犯了的，需要注意。

3、服务端禁用GSSAPIAuthentication。

直接到/etc/ssh/sshd_config里面，将GSSAPIAuthentication yes改为no即可了，同时也请注意，你可能也需要将UseDNS这个也修改成UseDNS no（这个要注意，每个系统的默认值不同，此处以CentOS 6为例）：

1. <span class="pln">sudo vi </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">sshd_config</span>
2. <span class="com">### 普通用户权限不够，需要root权限</span>
3. <span class="com">### 找到GSSAPIAuthentication yes，修改为</span>
4. <span class="com">### GSSAPIAuthentication no</span>
5. <span class="com">### 注意，这里你也需要将UseDNS修改为no，CentOS默认是yes，即使这行已被注释，你也需要加上</span>
6. <span class="com">### UseDNS no</span>
7. <span class="com">### 有看到人说UseDNS yes不需要修改为UseDNS no，Mitchell测试下来是需要的。</span>
8. <span class="com">### 保存文件，退出</span>

当禁用之后，我们需要重启SSH服务来保证新的配置文件被正确应用：

1. <span class="pln">service sshd restart</span>

这个时候，再次使用SSH登录这个主机时，是不是感觉飞快了？

呼～ 终于完成了这篇长文，要一边捣腾一边弄出这些个文字，还是真是有点困难。不过，这样也就将问题捣腾的差不多了，希望看文章的你能够看的明白，欢迎讨论。 

说明：

1. GSSAPI：Generic Security Services Application Program Interface，GSSAPI本身是一套API，由IETF标准化。其最主要也是著名的实现是基于Kerberos的。一般说到GSSAPI都暗指Kerberos实现。

2. UseDNS：是OpenSSH服务器上的一个DNS查找选项，而且默认还是打开的，在打开的状态下，每当客户端尝试连接OpenSSH服务器的时候，服务端就自动根据用户客户端的IP进行DNS PTR反向查询（IP反向解析才会有记录），查询出IP对应的Hostname，之后在根据客户端的Hostname进行DNS正向A记录查询。通过这个查询，验证IP是否和连接的客户端IP一致。但绝大部分我们的机器是动态获取IP的，也就是说，这个选项对于这种情况根本就没用——即使是普通静态IP服务器，只要没有做IP反向解析，也难以适用。如果你符合这些情况，建议关闭UseDNS以提高SSH远程登录时候的认证速度。