我的问题描述如下。
我有一台工作电脑,它始终在线并且具有静态 IP 地址。我有一台笔记本电脑,我随身携带 — 显然,它没有静态 IP,但我希望它可以从外部访问。因此,我打开了从工作电脑端口 111 到笔记本电脑端口 222 的 ssh 隧道(命令“ssh -nNT -R 111:localhost:222 -p 222 root@work-comp”在笔记本电脑上运行;我已将 sshd 配置为监听端口 222)。我希望在执行“ssh -p 111 work-comp”时,我会被重定向到笔记本电脑的端口 222,这样问题就解决了。
事实上,它是有效的,但只有当我运行“ssh -p 111 work-comp”时我的工作电脑。当我尝试从任何其他机器,ssh 抛出“ssh_exchange_identification:读取:对等方重置连接”!
对于如何调试该问题有什么想法吗?
附加信息:经过更多调试后,我发现只有当我尝试从我当前所在网络的机器进行连接时,才会发生此问题。当我尝试从工作计算机所在网络的机器进行连接时(我可以远程连接到其中一些机器),一切正常。当识别数据包从一个网络传输到另一个网络时,是否会发生某些事情?
ssh 客户端的输出是:
user@some-machine:~> ssh -vvv -p 111 work-comp
OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016
debug1: Reading configuration data /home/<user>/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug2: resolving "work-comp" port 111
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to work-comp [work-comp] port 111.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/<user>/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/<user>/.ssh/id_rsa-cert type -1
debug1: identity file /home/<user>/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /home/<user>/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/<user>/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/<user>/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/<user>/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/<user>/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
ssh_exchange_identification: read: Connection reset by peer
ssh 服务器(调试模式下)的输出是:
user@laptop:~> sudo /usr/sbin/sshd -D -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 624
debug2: parse_server_config: config /etc/ssh/sshd_config len 624
debug3: /etc/ssh/sshd_config:13 setting Port 222
debug3: /etc/ssh/sshd_config:27 setting HostKey /etc/ssh/ssh_host_ed25519_key
debug3: /etc/ssh/sshd_config:54 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:72 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:106 setting UsePAM yes
debug3: /etc/ssh/sshd_config:110 setting GatewayPorts yes
debug3: /etc/ssh/sshd_config:111 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:113 setting X11UseLocalhost no
debug3: /etc/ssh/sshd_config:117 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:119 setting UsePrivilegeSeparation sandbox
debug3: /etc/ssh/sshd_config:122 setting ClientAliveInterval 60
debug3: /etc/ssh/sshd_config:123 setting ClientAliveCountMax 3
debug3: /etc/ssh/sshd_config:135 setting Subsystem sftp /usr/lib/ssh/sftp-server
debug3: /etc/ssh/sshd_config:138 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:139 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:140 setting AcceptEnv LC_IDENTIFICATION LC_ALL
debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2j-fips 26 Sep 2016
debug1: private host key #0: ssh-ed25519 SHA256:<some number>
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-ddd'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 222 on ::.
Server listening on :: port 222.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 624
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from ::1 port 54990 on ::1 port 222
^C
所有相关机器都安装了 openSUSE 42.3 (x86_64) 和 OpenSSH 7.2。身份验证配置为使用 ed25519 密钥。
答案1
netstat您可以通过运行检查开放端口来在一定程度上探测每个系统上的隧道。
例如,我已经建立了一个反向隧道来测试:
user@computer1:~ $ ssh -nNT -R 12345:localhost:22 computer2
然后我探测 computer2 上的端口。标志 -l 仅列出监听端口,标志 -t 将仅显示 tcp 端口(例如 ssh)。
user@computer2:~ $ netstat -l -t
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:12345 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:12345 [::]:* LISTEN
从这里可以明显看出反向隧道的问题所在:它只监听本地主机(即环回接口)。如果它监听所有接口,我应该会看到0.0.0.0:12345ipv4 和[::]:12345ipv6。
当您ssh -p 111 work-comp从 work-comp 运行时,它会接受来自本地主机的连接,但是当您从外部机器运行相同的命令时,work-comp 实际上并没有在该端口上监听来自“some-machine”的连接。
您可以从“some-machine”到“work-comp”的正确端口创建另一个隧道,或者使用 ProxyCommand 通过“work-comp”连接到“laptop”。