有谁知道什么原因导致 SSH 发送版本字符串很慢?
我有相同的客户端和相同的服务器机器。
当客户端通过网络1连接时,ping到服务器的时间大约为6ms,但time ssh server exit
耗时大约为5秒。当客户端通过网络2连接时,ping到服务器的时间大约为60ms,但 time ssh server exit
耗时不到1秒。
当连接到网络 1 时,客户端距离服务器只有一个路由器(至少 traceroute 显示如此)。当连接到网络 2 时,客户端距离服务器约有 20 个路由器(traceroute 显示它最终将通过该路由器)。
当连接到网络 1 时,ssh -vvv server
显示延迟实际上介于
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/hongce/.ssh/config
debug1: /home/hongce/.ssh/config line 61: Applying options for xxx
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "XXXX.XXXX.XXXX" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to XXXX.XXXX.XXXX [XXX.XXX.XX.XX] port 22.
debug1: Connection established.
debug1: identity file /home/hongce/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/hongce/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hongce/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hongce/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hongce/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hongce/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hongce/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hongce/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
和
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.10
可以看到它是在连接建立后。(我把上面消息中的服务器域名和 IP 地址替换成了 XXXX)
在服务器端,设置UseDNS
为no
并不能明显降低ssh的延迟,(但我认为是有效果的,因为后面的登录就不再显示域名而只是显示前一次登录源的ip了)。
所以我的问题是,通过更快的网络连接时发送版本字符串的延迟可能是什么原因造成的?
答案1
我似乎找到了答案。
我最终进入 sshd 并通过查看系统调用跟踪,我发现在客户端等待版本字符串时,分叉的 sshd 子进程正在等待read
,而 6 与 相关,avahi-daemon
如跟踪所示。
...
[pid 5651] close(6) = 0
[pid 5651] mprotect(0x7f1e081b4000, 4096, PROT_READ) = 0
[pid 5651] munmap(0x7f1e0b773000, 146949) = 0
[pid 5651] socket(PF_FILE, SOCK_STREAM, 0) = 6
[pid 5651] fcntl(6, F_GETFD) = 0
[pid 5651] fcntl(6, F_SETFD, FD_CLOEXEC) = 0
[pid 5651] connect(6, {sa_family=AF_FILE, path="/var/run/avahi-daemon/socket"}, 110) = 0
[pid 5651] fcntl(6, F_GETFL) = 0x2 (flags O_RDWR)
[pid 5651] fstat(6, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
[pid 5651] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1e0b7c3000
[pid 5651] lseek(6, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
[pid 5651] write(6, "RESOLVE-ADDRESS 10.6.62.19\n", 27) = 27
[pid 5651] read(6,
谷歌搜索结果如下
Avahi 是一个通过 mDNS/DNS-SD 协议套件促进本地网络上服务发现的系统。这使您可以将笔记本电脑或计算机插入网络,并立即能够查看可以与之聊天的其他人、找到要打印的打印机或查找共享的文件。
因为我根本不需要它,所以我就把它关掉了。
sudo service avahi-daemon stop
问题解决了。