如何诊断 SSH2_MSG_KEXINIT 之后的 ssh 连接停滞?

如何诊断 SSH2_MSG_KEXINIT 之后的 ssh 连接停滞?

编辑:这个问题只发生在我往返家庭网络然后返回时。从外面看,它工作得很好,所以我很冷静。

我可以连接到家庭网络上的一台机器上的 sshd 服务,但如果我通过路由器使用端口转发从外部访问它,那么它只能到达此消息

debug1:SSH2_MSG_KEXINIT 已发送

然后停转。

有没有办法诊断出此时失败的原因?协议的这个阶段发生了什么?

我确实在网上找到了一些信息[1],这可能与 MTU 大小有关。我尝试在服务器和路由器上将 MTU 设置为 576,但得到的结果相同。

这是来自 ssh 客户端的日志:

OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/justinhj/.ssh/identity type 0
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug3: Not a RSA1 key file /home/justinhj/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/justinhj/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/justinhj/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.1p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent

以下是服务器输出:

justinhj@ubuntu:~$ sudo /usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 875
debug2: parse_server_config: config /etc/ssh/sshd_config len 875
debug3: /etc/ssh/sshd_config:6 setting Port 22
debug3: /etc/ssh/sshd_config:7 setting ListenAddress 192.168.0.106:22
debug3: /etc/ssh/sshd_config:8 setting ListenAddress 127.0.0.1:22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:15 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:16 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:19 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:22 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:23 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:26 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:27 setting LogLevel DEBUG3
debug3: /etc/ssh/sshd_config:29 setting GatewayPorts yes
debug3: /etc/ssh/sshd_config:32 setting LoginGraceTime 120
debug3: /etc/ssh/sshd_config:33 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:34 setting StrictModes yes
debug3: /etc/ssh/sshd_config:44 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:47 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:50 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:56 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:60 setting ChallengeResponseAuthentication yes
debug3: /etc/ssh/sshd_config:63 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:66 setting KerberosAuthentication no
debug3: /etc/ssh/sshd_config:68 setting KerberosOrLocalPasswd yes
debug3: /etc/ssh/sshd_config:69 setting KerberosTicketCleanup yes
debug3: /etc/ssh/sshd_config:72 setting GSSAPIAuthentication no
debug3: /etc/ssh/sshd_config:73 setting GSSAPICleanupCredentials no
debug3: /etc/ssh/sshd_config:74 setting GSSAPIKeyExchange no
debug3: /etc/ssh/sshd_config:76 setting X11Forwarding no
debug3: /etc/ssh/sshd_config:77 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:78 setting PrintMotd yes
debug3: /etc/ssh/sshd_config:79 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:80 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:85 setting Banner /etc/issue
debug3: /etc/ssh/sshd_config:88 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:90 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:92 setting UsePAM yes
debug1: sshd version OpenSSH_5.1p1 Debian-5ubuntu1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 127.0.0.1.
Server listening on 127.0.0.1 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 192.168.0.106.
Server listening on 192.168.0.106 port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 875
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from xx.xx.xx.x port 41016

编号时间源目标协议信息 22 40.592821 192.168.0.106 192.168.0.100 TCP ssh > 4632 [RST] Seq=1 Win=0 Len=0

帧 22(线路上 60 字节,捕获 60 字节)以太网 II,来源:Asiarock_c9:54:51(00:13:8f:c9:54:51),目标:AskeyCom_76:f6:2b(00:90:96:76:f6:2b)互联网协议,来源:192.168.0.106(192.168.0.106),目标:192.168.0.100(192.168.0.100)传输控制协议,来源端口:ssh(22),目标端口:4632(4632),序号:1,长度:0

No.     Time        Source                Destination           Protocol Info  
     23 43.485533   192.168.0.100         xxx.xxx.xxx.xxx         TCP      [TCP         Retransmission] [TCP segment of a reassembled PDU]

Frame 23 (590 bytes on wire, 590 bytes captured)
Ethernet II, Src: AskeyCom_76:f6:2b (00:90:96:76:f6:2b), Dst: D-Link_fa:33:1e     (00:13:46:fa:33:1e)
Internet Protocol, Src: 192.168.0.100 (192.168.0.100), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Transmission Control Protocol, Src Port: 4632 (4632), Dst Port: ssh (22), Seq: 1, Ack:  40, Len: 536
SSH Protocol

[1]: 或许:http://www.snailbook.com/faq/mtu-mismatch.auto.html

答案1

在客户端和服务器上运行数据包捕获(例如 Wireshark 或 tcpdump),然后尝试连接。您可能会看到发送的数据包(由客户端或服务器发送)未被另一端接收。如果是这种情况,则某些因素(例如防火墙/路由器或服务器上的 iptables)正在丢弃数据包。

您可以将捕获限制到 tcp 端口 22,以过滤除 ssh 连接之外的所有内容。但您还应该捕获 icmp,以防发送任何无法访问的信息。

答案2

尝试检查以确保 /etc/hosts.allow 和 /etc/hosts.deny 没有阻止来自家庭网络外部的 SSH 访问。

相关内容