今天我意识到一个很奇怪的事情:
我的本地网络中有一个服务器(运行 Ubuntu Server 12.04.4 LTS),其 SSH 端口可通过互联网访问(我可以使用 连接到它ssh my.internet.ip.address
)。
然而,直到今天我才意识到我无法在本地网络中连接到它(ssh its.local.ip.address
失败且没有错误)。
我检查/etc/hosts.deny
并明确添加了我的计算机/etc/hosts.allow
,但这并没有改变任何东西。当然,我也尝试重新启动 ssh 和整个服务器。没有新的更新可用。
本地连接失败:
myself@my-desktop ~ $ ssh -v its.local.ip.address
OpenSSH_6.2p2 Ubuntu-6ubuntu0.4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to its.local.ip.address [its.local.ip.address] port 22.
debug1: Connection established.
debug1: identity file /home/myself/.ssh/id_rsa type -1
debug1: identity file /home/myself/.ssh/id_rsa-cert type -1
debug1: identity file /home/myself/.ssh/id_dsa type -1
debug1: identity file /home/myself/.ssh/id_dsa-cert type -1
debug1: identity file /home/myself/.ssh/id_ecdsa type -1
debug1: identity file /home/myself/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by its.local.ip.address
myself@my-desktop ~ $
但是,远程连接有效:
myself@my-desktop ~ $ ssh -v my.internet.ip.address
OpenSSH_6.2p2 Ubuntu-6ubuntu0.4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to my.internet.ip.address [my.internet.ip.address] port 22.
debug1: Connection established.
debug1: identity file /home/myself/.ssh/id_rsa type -1
debug1: identity file /home/myself/.ssh/id_rsa-cert type -1
debug1: identity file /home/myself/.ssh/id_dsa type -1
debug1: identity file /home/myself/.ssh/id_dsa-cert type -1
debug1: identity file /home/myself/.ssh/id_ecdsa type -1
debug1: identity file /home/myself/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA [... hidden here ...]
debug1: Host 'my.internet.ip.address' is known and matches the ECDSA host key.
debug1: Found key in /home/myself/.ssh/known_hosts:4
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
[email protected]'s password:
[ ... everything works just fine ... ]
什么原因导致了这个问题?更重要的是我该如何解决它?
注意:ssh -vvv
在两个输出有偏差的地方,增加详细程度()不会显示任何附加内容。
答案1
服务器决定断开连接,因此您必须从服务器端调试问题。如果您在服务器上具有“root”访问权限,则可以sshd
交互方式运行:
/path/to/sshd -ddd -p 42
这将启动一个在调试模式下监听端口 42(您可以指定其他数字)的副本sshd
。它将在前台运行,接受单个连接并将调试信息打印到您的终端。
现在与您的客户联系:
ssh -v -p 42 its.local.ip.address
如果幸运的话,服务器端的调试消息应该可以指示出会话中断的原因。
答案2
我假设两次捕获中的客户端机器是相同的(即使提示不同)因为它允许 TCP 连接,所以它可能与 sshd 配置上的反向 DNS 和/或拒绝策略有关。
尝试关闭服务器端的 DNS(sshd_config 上的 UseDNS=no)并重新启动 sshd(kill -1 就足够了)
答案3
据报道,该漏洞已影响多名用户。
在本地时,尝试 ssh -X 禁用 x 转发。
此外,最大传输单元 [MTU] 可能需要调整为 ssh_server 的 MTU。
** 如果在本地不起作用,请尝试:
myself@my-desktop ~ $ ssh -v my.internet.ip.address
如果它可以穿越出你的网络,然后再回来......
这可能是服务器配置错误,请检查 sshd_config 中的“允许的用户”,以及 known_host 的存储位置,添加用户“我自己”的 local.ip.address 版本。
一份 sshd 的副本可能会有帮助