升级到 11.10 后 ssh 拒绝所有连接

tag-icon tag-icon ssh sshd
升级到 11.10 后 ssh 拒绝所有连接

我从 11.04 升级到 11.10,升级完成后发现我无法再通过 ssh 连接到我经常使用的其他计算机。我检查了以下几点:

  1. Kerberos 身份验证工作正常,这不是问题。
  2. 我尝试重新启动并重新安装 ssh,但都没有帮助。
  3. 我尝试从我的笔记本电脑复制所有与 ssh 相关的文件(使用 11.04 中正常运行的 ssh)并替换我 11.10 故障操作系统上的内容,但这没有帮助。

  4. 我尝试删除 .ssh/known_hosts 文件。下次尝试时,我收到了有关首次连接某处的正常消息,但仍然被拒绝连接。

    jason:~$ /usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config 
debug2: load_server_config: done config len = 682 
debug2: parse_server_config: config /etc/ssh/sshd_config len 682 
debug3: /etc/ssh/sshd_config:5 setting Port 22 
debug3: /etc/ssh/sshd_config:9 setting Protocol 2 
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key 
debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key 
debug3: /etc/ssh/sshd_config:13 setting HostKey /etc/ssh/ssh_host_ecdsa_key 
debug3: /etc/ssh/sshd_config:15 setting UsePrivilegeSeparation yes 
debug3: /etc/ssh/sshd_config:18 setting KeyRegenerationInterval 3600 
debug3: /etc/ssh/sshd_config:19 setting ServerKeyBits 768 
debug3: /etc/ssh/sshd_config:22 setting SyslogFacility AUTH 
debug3: /etc/ssh/sshd_config:23 setting LogLevel INFO 
debug3: /etc/ssh/sshd_config:26 setting LoginGraceTime 120 
debug3: /etc/ssh/sshd_config:27 setting PermitRootLogin no 
debug3: /etc/ssh/sshd_config:28 setting StrictModes yes 
debug3: /etc/ssh/sshd_config:30 setting RSAAuthentication yes 
debug3: /etc/ssh/sshd_config:31 setting PubkeyAuthentication yes 
debug3: /etc/ssh/sshd_config:35 setting IgnoreRhosts yes 
debug3: /etc/ssh/sshd_config:37 setting RhostsRSAAuthentication no 
debug3: /etc/ssh/sshd_config:39 setting HostbasedAuthentication no 
debug3: /etc/ssh/sshd_config:44 setting PermitEmptyPasswords no 
debug3: /etc/ssh/sshd_config:48 setting ChallengeResponseAuthentication no 
debug3: /etc/ssh/sshd_config:63 setting X11Forwarding yes 
debug3: /etc/ssh/sshd_config:64 setting X11DisplayOffset 10 
debug3: /etc/ssh/sshd_config:65 setting PrintMotd no 
debug3: /etc/ssh/sshd_config:66 setting PrintLastLog yes 
debug3: /etc/ssh/sshd_config:67 setting TCPKeepAlive yes 
debug3: /etc/ssh/sshd_config:74 setting AcceptEnv LANG LC_* 
debug3: /etc/ssh/sshd_config:76 setting Subsystem sftp /usr/lib/openssh/sftp-server 
debug3: /etc/ssh/sshd_config:87 setting UsePAM yes 
debug1: sshd version OpenSSH_5.8p1 Debian-7ubuntu1 
debug3: Incorrect RSA1 identifier 
debug1: read PEM private key done: type RSA 
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 
debug1: private host key: #0 type 1 RSA 
debug3: Incorrect RSA1 identifier 
debug1: read PEM private key done: type DSA 
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 
debug1: private host key: #1 type 2 DSA 
debug3: Incorrect RSA1 identifier 
debug1: read PEM private key done: type ECDSA 
debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256 
debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256 
debug1: private host key: #2 type 3 ECDSA 
debug1: setgroups() failed: Operation not permitted 
debug1: rexec_argv[0]='/usr/sbin/sshd' 
debug1: rexec_argv[1]='-ddd' 
debug3: oom_adjust_setup 
Set /proc/self/oom_score_adj from 0 to -1000 
debug2: fd 3 setting O_NONBLOCK 
debug1: Bind to port 22 on 0.0.0.0. 
Bind to port 22 on 0.0.0.0 failed: Permission denied. 
debug2: fd 3 setting O_NONBLOCK 
debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY 
debug1: Bind to port 22 on ::. 
Bind to port 22 on :: failed: Permission denied. 
Cannot bind any address.

也许问题就出在那个读数上,但我对这个输出不够熟悉。

我的笔记本电脑上仍然装有 Ubuntu 11.04,但仍然可以成功登录我需要的计算机,所以问题肯定与我的台式机升级到 11.10 有关。

=========================================================================

[编辑:]我想我明白了一些事情:

如果我执行(我尝试登录的计算机),在输出结束时我会得到:ssh -vv [email protected]

Jason Nett 11:06:38 PM
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to computer.org.com ([xxx.xxx.xxx.xxx]:xx).

注意:“gssapi-with-mic”在“可以继续的身份验证”列表中,并且是成功的身份验证。当我在失去 ssh 能力的机器上尝试时,输出如下:

debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,gssapi-with-mic,keyboard-interactive).

因此,在这台机器上,根据详细输出,从未尝试过“gssapi-keyex”和“gssapi-with-mic”,只尝试过“keyboard-interactive”。从我的在线搜索中,我了解到 gssapi-with-mic 与传达我的 kerberos 身份验证有关,但目前我还不太确定接下来该怎么做。

希望这些额外的信息可以帮助我们快速纠正这个问题。

答案1

看起来这可能与 ipv6 和 ipv4 都尝试绑定到端口 22 有关。尝试在 sshd_config 中禁用 ipv6。

ListenAddress 0.0.0.0
#ListenAddress ::

答案2

我遇到了同样的问题,但如果我至少使用密码验证登录控制台或通过 ssh 登录一次,则所有后续使用公钥的 ssh 验证都可以正常工作。这不是一个好的解决方法,因为重新启动会终止使用 ssh/公钥登录的能力,但它可能有助于诊断发生了什么。

相关内容