Ubuntu
通過中間主機的 SSH 僅在 myuser@mymac 上失敗,但在其他地方有效
我無法在我的 macbook 上使用我的使用者通過 ssh 連接到我的數據中心節點之一。這是一個最近出現的問題,從幾週前開始就非常實用。
奇怪的是,這只會影響我電腦上的使用者,但我能夠從以下位置建立連接:
- 同一台機器上的不同使用者,使用相同的 ssh 密鑰並且沒有任何 .ssh/config 規則。
- 不同的伺服器,執行 macos 或 ubuntu,具有相同或不同的 ssh 密鑰。
在我的電腦中使用我的使用者名和相同的密鑰,我可以:
- 連接到網關主機
- 使用 VPN 直接連接到節點(不幸的是,這不是一個長期的解決方案)
我對這個錯誤感到很困惑。你能幫我定位問題嗎?
查看日誌,與網關的連接已建立,但無法連接到節點。在客戶端:
⌘ ~ ❯ ssh -v -J gatekeeper@gateway ubuntu@node -i ~/.ssh/id_rsa OpenSSH_7.3p1, LibreSSL 2.4.1 [...] debug1: Authentication succeeded (publickey). Authenticated to gateway ([35.156.248.245]:22). debug1: channel_connect_stdio_fwd node:22 debug1: channel 0: new [stdio-forward] debug1: getpeername failed: Bad file descriptor debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1 debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1 debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1 debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1 debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1 debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1 debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1 debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1 channel 0: open failed: connect failed: Connection timed out stdio forwarding failed ssh_exchange_identification: Connection closed by remote host
在網關端:
admin@gateway:~$ grep -e "\[7669\]" -e "\[7739\]" /var/log/auth.log Mar 13 11:01:20 gateway sshd[7669]: Set /proc/self/oom_score_adj to 0 Mar 13 11:01:20 gateway sshd[7669]: rexec line 32: Deprecated option PermitBlacklistedKeys Mar 13 11:01:20 gateway sshd[7669]: Connection from <laptop-out-ip> port 62113 on <gateway-ip> port 22 Mar 13 11:01:20 gateway sshd[7669]: Postponed publickey for gatekeeper from <laptop-out-ip> port 62113 ssh2 [preauth] Mar 13 11:01:20 gateway sshd[7669]: Accepted publickey for gatekeeper from <laptop-out-ip> port 62113 ssh2: RSA 8d:7e:9c:53:11:c9:4d:b3:67:7b:ae:04:03:8f:e2:71 Mar 13 11:01:20 gateway sshd[7669]: pam_unix(sshd:session): session opened for user gatekeeper by (uid=0) Mar 13 11:01:20 gateway sshd[7669]: User child is on pid 7739 Mar 13 11:03:27 gateway sshd[7739]: error: connect_to <node-ip> port 22: failed. Mar 13 11:03:28 gateway sshd[7739]: Connection closed by <laptop-out-ip> Mar 13 11:03:28 gateway sshd[7739]: Transferred: sent 2252, received 2864 bytes Mar 13 11:03:28 gateway sshd[7739]: Closing connection to <laptop-out-ip> port 62113 Mar 13 11:03:28 gateway sshd[7669]: pam_unix(sshd:session): session closed for user gatekeeper
在節點端,日誌中沒有條目。
網關上的 ssd_config:
# ssh service configuration AcceptEnv AddressFamily inet AllowAgentForwarding yes AllowGroups AllowTcpForwarding no AllowUsers gatekeeper AuthorizedKeysFile %h/.ssh/authorized_keys ChallengeResponseAuthentication no Ciphers aes128-ctr,aes192-ctr,aes256-ctr ClientAliveCountMax 3 ClientAliveInterval 15 Compression delayed DenyGroups DenyUsers GSSAPIAuthentication no GatewayPorts no HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostbasedAuthentication no KerberosAuthentication no ListenAddress 0.0.0.0:22 LogLevel VERBOSE LoginGraceTime 60 MaxAuthTries 6 MaxSessions 10 MaxStartups 30 PasswordAuthentication no PermitBlacklistedKeys no PermitRootLogin no PermitTunnel no PermitUserEnvironment no PidFile /var/run/sshd.pid PrintLastLog yes PrintMotd no Protocol 2 PubkeyAuthentication yes RSAAuthentication no RhostsRSAAuthentication no StrictModes yes SyslogFacility AUTH TCPKeepAlive yes UseDNS no UseLogin no UsePAM yes UsePrivilegeSeparation yes X11Forwarding no Match User gatekeeper AllowTcpForwarding yes AllowAgentForwarding no X11Forwarding no
最後,我已經能夠解決問題並確定問題的根源。我可以通過不採購 iterm2 shell 集成來使問題消失,或者只是將其更新到最新版本。這可能與使用fish shell有關。
我沒有深入研究這個問題,如果有人感興趣,請告訴我。
error: connect_to <node-ip> port 22: failed.
這看起來像埠轉發被配置中的
PermitOpen
選項禁用或限制sshd
。確保允許,如果不允許,請發布sshd_config
fromgateway
。