为什么 SSH dynamicforward 会导致某种循环,从而导致“打开文件过多”错误

tag-icon tag-icon ssh proxy
为什么 SSH dynamicforward 会导致某种循环,从而导致“打开文件过多”错误

我想了解为什么我的 SSH 客户端出现此错误:

channel 1017: open failed: connect failed: open failed
channel 1017: open failed: connect failed: Too many open files
channel 1017: open failed: connect failed: Too many open files
channel 1017: open failed: connect failed: Too many open files

背景:

我已将我的网络浏览器配置为使用 localhost:6162 作为 socks 代理,并使用 SSH 来提供此代理ssh -d6162 hostname

通常,它会连接到远程服务器,在这种情况下,它会按预期工作。但有些网站要求我从自己的国家/地区进行连接,而我的服务器则不需要。

因为每次我需要这样的网站时重新配置浏览器代理并不容易,所以我断开了 ssh 客户端,然后使用以下命令启动一个新客户端:ssh -d6162 127.0.0.1

理论上,这应该只是用不同的端点替换浏览器看到的代理,并且我希望它的行为相同。

但事实并非如此,相反,ssh 客户端开始抛出“打开太多文件”错误,并且连接在几秒钟后断开。

如果我使用 启动 ssh -vvv,我可以看到,只要我启动它,(ssh?)客户端就会生成连接,直到达到 max-open-files:

debug1: channel 993: free: direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38054 to 127.0.0.1 port 34636, nchannels 24
debug3: channel 993: status: The following connections are open:
  #993 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38054 to 127.0.0.1 port 34636 (t4 r989 i0/0 o3/0 fd 999/999 cc -1)
  #994 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38056 to 127.0.0.1 port 34636 (t4 r990 i0/0 o3/0 fd 1000/1000 cc -1)
  #995 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38058 to 127.0.0.1 port 34636 (t4 r991 i0/0 o3/0 fd 1001/1001 cc -1)
  #996 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38060 to 127.0.0.1 port 34636 (t4 r992 i0/0 o3/0 fd 1002/1002 cc -1)
  #997 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38062 to 127.0.0.1 port 34636 (t4 r993 i0/0 o3/0 fd 1003/1003 cc -1)
  #998 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38064 to 127.0.0.1 port 34636 (
debug1: channel 994: free: direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38056 to 127.0.0.1 port 34636, nchannels 23
debug3: channel 994: status: The following connections are open:
  #994 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38056 to 127.0.0.1 port 34636 (t4 r990 i0/0 o3/0 fd 1000/1000 cc -1)
  #995 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38058 to 127.0.0.1 port 34636 (t4 r991 i0/0 o3/0 fd 1001/1001 cc -1)
  #996 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38060 to 127.0.0.1 port 34636 (t4 r992 i0/0 o3/0 fd 1002/1002 cc -1)
  #997 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38062 to 127.0.0.1 port 34636 (t4 r993 i0/0 o3/0 fd 1003/1003 cc -1)
  #998 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38064 to 127.0.0.1 port 34636 (t4 r994 i0/0 o3/0 fd 1004/1004 cc -1)
  #999 direct-tcpip: listening port 34636 for 127.0.0.1 port 34636, connect from 127.0.0.1 port 38066 to 127.0.0.1 port 34636

这种情况一直持续到达到文件的 ulimit 为止。
我想我无意中创建了某种循环,这样浏览器创建的每个连接都会创建另一个连接,而这个连接又会创建另一个连接,然后这个连接又会创建另一个连接,等等。

再次,这种情况只会发生在动态转发到的情况下localhost,在我正常使用的情况下连接到远程服务器,它运行良好。

ssh 客户端和服务器:
OpenSSH_7.5p1 Debian-10, OpenSSL 1.0.2l 25 May 2017

浏览器:Google Chrome 61.0.3163.91

浏览器配置:

google-chrome --proxy-server="socks5://localhost:6162" --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost, EXCLUDE 192.168.178.0/24" --proxy-bypass-list="127.0.0.1:3000,127.0.0.1,localhost:3000,localhost,192.168.178.0/24"

有人能重现这个问题吗?有什么解释吗?

PS 与往常一样,在撰写本文时,我突然想到,浏览器可能会尝试通过代理本身访问本地主机的代理,但这没有任何意义,不是吗?

相关内容