我从 11.04 升级到 11.10,升级完成后发现我无法再通过 ssh 连接到我经常使用的其他计算机。我检查了以下几点:
- Kerberos 身份验证工作正常,这不是问题。
- 我尝试重新启动并重新安装 ssh,但都没有帮助。
- 我尝试从我的笔记本电脑复制所有与 ssh 相关的文件(使用 11.04 中正常运行的 ssh)并替换我 11.10 故障操作系统上的内容,但这没有帮助。
我尝试删除 .ssh/known_hosts 文件。下次尝试时,我收到了有关首次连接某处的正常消息,但仍然被拒绝连接。
jason:~$ /usr/sbin/sshd -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 682 debug2: parse_server_config: config /etc/ssh/sshd_config len 682 debug3: /etc/ssh/sshd_config:5 setting Port 22 debug3: /etc/ssh/sshd_config:9 setting Protocol 2 debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key debug3: /etc/ssh/sshd_config:13 setting HostKey /etc/ssh/ssh_host_ecdsa_key debug3: /etc/ssh/sshd_config:15 setting UsePrivilegeSeparation yes debug3: /etc/ssh/sshd_config:18 setting KeyRegenerationInterval 3600 debug3: /etc/ssh/sshd_config:19 setting ServerKeyBits 768 debug3: /etc/ssh/sshd_config:22 setting SyslogFacility AUTH debug3: /etc/ssh/sshd_config:23 setting LogLevel INFO debug3: /etc/ssh/sshd_config:26 setting LoginGraceTime 120 debug3: /etc/ssh/sshd_config:27 setting PermitRootLogin no debug3: /etc/ssh/sshd_config:28 setting StrictModes yes debug3: /etc/ssh/sshd_config:30 setting RSAAuthentication yes debug3: /etc/ssh/sshd_config:31 setting PubkeyAuthentication yes debug3: /etc/ssh/sshd_config:35 setting IgnoreRhosts yes debug3: /etc/ssh/sshd_config:37 setting RhostsRSAAuthentication no debug3: /etc/ssh/sshd_config:39 setting HostbasedAuthentication no debug3: /etc/ssh/sshd_config:44 setting PermitEmptyPasswords no debug3: /etc/ssh/sshd_config:48 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:63 setting X11Forwarding yes debug3: /etc/ssh/sshd_config:64 setting X11DisplayOffset 10 debug3: /etc/ssh/sshd_config:65 setting PrintMotd no debug3: /etc/ssh/sshd_config:66 setting PrintLastLog yes debug3: /etc/ssh/sshd_config:67 setting TCPKeepAlive yes debug3: /etc/ssh/sshd_config:74 setting AcceptEnv LANG LC_* debug3: /etc/ssh/sshd_config:76 setting Subsystem sftp /usr/lib/openssh/sftp-server debug3: /etc/ssh/sshd_config:87 setting UsePAM yes debug1: sshd version OpenSSH_5.8p1 Debian-7ubuntu1 debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type RSA debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: private host key: #0 type 1 RSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type DSA debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: private host key: #1 type 2 DSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type ECDSA debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256 debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256 debug1: private host key: #2 type 3 ECDSA debug1: setgroups() failed: Operation not permitted debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Bind to port 22 on 0.0.0.0 failed: Permission denied. debug2: fd 3 setting O_NONBLOCK debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY debug1: Bind to port 22 on ::. Bind to port 22 on :: failed: Permission denied. Cannot bind any address.
也许问题就出在那个读数上,但我对这个输出不够熟悉。
我的笔记本电脑上仍然装有 Ubuntu 11.04,但仍然可以成功登录我需要的计算机,所以问题肯定与我的台式机升级到 11.10 有关。
=========================================================================
[编辑:]我想我明白了一些事情:
如果我执行(我尝试登录的计算机),在输出结束时我会得到:ssh -vv [email protected]
Jason Nett 11:06:38 PM
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to computer.org.com ([xxx.xxx.xxx.xxx]:xx).
注意:“gssapi-with-mic”在“可以继续的身份验证”列表中,并且是成功的身份验证。当我在失去 ssh 能力的机器上尝试时,输出如下:
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,gssapi-with-mic,keyboard-interactive).
因此,在这台机器上,根据详细输出,从未尝试过“gssapi-keyex”和“gssapi-with-mic”,只尝试过“keyboard-interactive”。从我的在线搜索中,我了解到 gssapi-with-mic 与传达我的 kerberos 身份验证有关,但目前我还不太确定接下来该怎么做。
希望这些额外的信息可以帮助我们快速纠正这个问题。
答案1
看起来这可能与 ipv6 和 ipv4 都尝试绑定到端口 22 有关。尝试在 sshd_config 中禁用 ipv6。
ListenAddress 0.0.0.0
#ListenAddress ::
答案2
我遇到了同样的问题,但如果我至少使用密码验证登录控制台或通过 ssh 登录一次,则所有后续使用公钥的 ssh 验证都可以正常工作。这不是一个好的解决方法,因为重新启动会终止使用 ssh/公钥登录的能力,但它可能有助于诊断发生了什么。