最近碰到个比较郁闷的问题。
环境如下:VPN接入,服务端只允许ssh2协议的openssh
连接经过VPN
通过putty连接远端服务器,一切正常。
通过SecureCRT连接,经常连接不上(环境一样,目标地址一样)
现象为连接进行中,一会就直接连接close。
用Trace Options查看报错信息如下:
[LOCAL] : GSS : [Kerberos w/ Group Exchange] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos w/ Group Exchange] Ξ·¨????°??áa??£
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
最近去SecureCRT论坛晃荡,终于找到官方的说明:
What I think is happening is that you are authenticating using GSSAPI when key exchange takes place. That is, SSH2 has an optimization that allows it to bypass the normal authentication phase because everything it needs to authenticate you was exchanged during key exchange (when GSSAPI is used). This is why unchecking the GSSAPI method for authentication doesnt change the behavior for you (that step is being skipped).
If you want to stop using GSSAPI, exit SecureCRT and edit the .ini file for the session in question. Remove the "gss-group1-sha1-<...>" method from the "Key Exchange Algorithms" comma-separated list in that file. After you remove the method from the list, you should still have two methods in the list: "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1". That, in combination with unchecking the GSSAPI authentication method should prevent the DNS lookup.
There is also another solution that will avoid the DNS lookup: remove the "$(FQDN)" in the SPN (Server Principal Name) string of the GSSAPI settings. That is, edit the "Properties" of the GSSAPI authentication method, expose the "Advanced>>" settings of the dialog, and check the box to "Manually specify the SPN." In the edit box, enter a string like "host@<remote_hostname>" rather than the default of "host@$(FQDN)", where "<remote_hostname>" should be replaced with the full domain name of the remote host to which you are trying to connect. For example, if you are connecting to IP a.b.c.d for a remote host called machine.domain.com, then enter the string "host@machine.domain.com" in SPN edit box.
So, in short, the reason I think that the reverse lookup is being done is because the GSSAPI settings need to replace the $(FQDN) parameter with the fully-qualified domain name of the machine to which you are connecting. Removing the $(FQDN) parameter with one of the two above methods should solve the problem.
我采用了最简单的做法,取消了session options中认证那块的GSSAPI选项。重试链接,问题解决。
参考资料:http://forums.vandyke.com/showpost.php?p=2493&postcount=4
附:发生问题时启用Trace Options的信息:
SecureCRT - Version 6.2.0 (build 162)
[LOCAL] : SSH2Core version 6.2.0.162
[LOCAL] : Connecting to 1.1.1.1:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-X.X-OpenSSH_X.X'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos] SPN : host@1.1.1.1
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos] Ξ·¨????°??áa??£
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos w/ Group Exchange] SPN : host@1.1.1.1
[LOCAL] : GSS : [Kerberos w/ Group Exchange] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos w/ Group Exchange] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos w/ Group Exchange] Ξ·¨????°??áa??£
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
[LOCAL] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha1
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha1
[LOCAL] : Available Remote Compressors = none,zlib@openssh.com
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib@openssh.com
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_GEX_REQUEST
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_CLOSED
[LOCAL] : Connected for 120 seconds, 47 bytes sent, 804 bytes received
