主要有2個選項造成
UseDNS no|yes 當啟動時,主機會嘗試做來源IP的解析。
GSSAPIAuthentication no | yes
當啟動時,SSH會優先使用GSS API的方式做驗證,由於主機並沒有做相關的驗證,故要等到嘗試驗證失敗後,才改為SSH本身的驗證方式.
修正方式如下
編輯 /etc/ssh/sshd_config
本來
UseDNS yes
GSSAPIAuthentication yes改為
UseDNS no
GSSAPIAuthentication no儲存設定後重新啟動ssh服務
service sshd restart補充說明GSSAPI stands for Generic Security Services API.
GSSAPI是在基於網絡的應用程序來加強加密身份驗證的ITEF標準。 OpenSSH的使用這個API和底層的Kerberos協定來提供身份驗證。
所以當使用ssh -v user@hostip 會看到下列訊息
共有
publickey,gssapi-keyex,gssapi-with-mic,password 等驗證方式,不過一開始會採賟gssapi-keyex,再來是gssapi-with-mic,再來是publickey驗證,最後才是密碼驗證,這也就是為什麼
會造成登入時,那麼久才出現輸入密碼畫面。
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
沒有留言:
張貼留言