可以从 root 账户通过隧道进行 ssh,但不能从用户账户进行

可以从 root 账户通过隧道进行 ssh,但不能从用户账户进行

我有两个用户desktop-rootuser。我有一个bastion和一个protected主机。当我ssh protectedrooton身份运行时desktop,我连接正常。当我ssh protecteduseron身份运行时desktop,我没有得到任何输出 - 只有一个空白行,就像在等待什么东西一样。但是,user 直接登录到bastion主机,然后从那里再登录到protected主机。

root和目录user中的内容相同(.ssh#cp -r ~/.ssh /home/user; chown -R user:user /home/user/.ssh

主机bastion似乎转发正常 - 正在运行$(which sshd) -Ddp 10222(每https://unix.stackexchange.com/a/128910/9583)debug1: channel 0: connected to protected port 22两者显示的是相同的线。

运行相同的操作protected会显示相同的输出,直到:

debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]

第二行不是从 连接时user显示desktop

ssh -vvv protected就像节目userdesktop展示的那样:

OpenSSH_7.9p1, OpenSSL 1.1.1  11 Sep 2018                                                                                                                       
debug1: Reading configuration data /home/user/.ssh/config                                                                                                     
debug1: /home/user/.ssh/config line 1: Applying options for *                                                                                                
debug1: /home/user/.ssh/config line 10: Applying options for protected                                                                                            
debug1: Reading configuration data /etc/ssh/ssh_config                                                                                                          
debug1: Executing proxy command: exec ssh bastion -W protected:22                                                                                                
debug1: identity file /home/user/.ssh/id_protected type 0                                                                                                         
debug1: identity file /home/user/.ssh/id_protected-cert type -1                                                                                                   
debug1: Local version string SSH-2.0-OpenSSH_7.9                                                                                                                
debug1: ssh_exchange_identification: \033[3g
\033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H     \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H    \033H
SSH-2.0-Op
debug1: ssh_exchange_identification: enSSH_7.9


debug1: ssh_exchange_identification:
debug1: ssh_exchange_identification: 6,diffie-hellman-group14-sha1
debug1: ssh_exchange_identification: aes192-ctr,aes256-ctr,[email protected],[email protected]                                                       
debug1: ssh_exchange_identification: 2-256,hmac-sha2-512,hmac-sha1

root直到第一行为止,所有内容都desktop相同ssh_exchange_identification

我的 ssh 配置是:

Host *
ServerAliveInterval 60
IdentitiesOnly yes

Host           bastion
HostName       bastion.host
IdentityFile   ~/.ssh/id_protected
User           user

Host          protected
IdentityFile   ~/.ssh/id_protected
Hostname       protected
User           user
ProxyCommand   ssh bastion -W %h:%p

我也尝试过https://askubuntu.com/a/976226/427339,但我认为这不适用,原因有二 - 1. 清空我的~/.config/fish/fish.config没什么区别,2. 我可以登录到同user一个protected rootdesktop

所有三个系统都运行 Arch Linux,protected并且desktop都使用fishshell。

编辑:

user@bastion~/.ssh/config

Host *
ServerAliveInterval 60

Host protected
User user
IdentityFile ~/.ssh/id_protected

如上所述,这可以很好地登录受保护的账户。/etc/hosts有一个protected指向网络本地 IP 的条目 - 10.xxx

编辑2:

我的问题与这些非常相似:

我还没有尝试过 MTU 解决方法,并且对协议分析器也不够熟悉,无法立即设置并使用它。

编辑3:

添加-vProxyCommand(现在是ProxyCommand ssh -v bastion -W %h:%p),完整输出user@desktop$ ssh protected

OpenSSH_7.9p1, OpenSSL 1.1.1  11 Sep 2018
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 1: Applying options for *
debug1: /home/user/.ssh/config line 5: Applying options for bastion
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to bastion [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_protected type 0
debug1: identity file /home/user/.ssh/id_protected-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to bastion:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none                                                             
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none                                                             
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY                                                                                                                       
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HfDmNOGgLrPLMsnCbyZuEuJapj+T6wrSTTiFSd+37ag                                                                 
debug1: Host 'bastion' is known and matches the ECDSA host key.                                                                                           
debug1: Found key in /home/users/.ssh/known_hosts:3                                                                                                           
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /home/user/.ssh/id_protected RSA SHA256:iH5F4stK+j+2/qkGJlL5D6TOEHNiwbR4jCzckI7IHaE explicit agent                                   
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_protected RSA SHA256:iH5F4stK+j+2/qkGJlL5D6TOEHNiwbR4jCzckI7IHaE explicit agent                                
debug1: Server accepts key: /home/user/.ssh/id_protected RSA SHA256:iH5F4stK+j+2/qkGJlL5D6TOEHNiwbR4jCzckI7IHaE explicit agent                                 
debug1: Authentication succeeded (publickey).
Authenticated to bastion ([x.x.x.x]:22).
debug1: channel_connect_stdio_fwd protected:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Remote: /home/user/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/user/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
--- very long delay; from `root` everything is the same till here, but the next line is `Last login: ...`, etc - a successful connection ---
debug1: channel 0: FORCE input drain
ssh_exchange_identification: Connection closed by remote host
debug1: channel 0: free: direct-tcpip: listening port 0 for protected port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Killed by signal 1.

答案1

由于受保护的主机位于堡垒主机后面,因此您仍然需要通过堡垒主机才能到达它,无论是从用户或普通用户帐户。

只需将根 ssh 配置复制到用户 ssh 配置就可以了,但要ForwardAgent yes在每个Host部分中为根用户和桌面上的普通用户添加一个。

Host *
ServerAliveInterval 60
IdentitiesOnly yes

Host           bastion
HostName       bastion.host
IdentityFile   ~/.ssh/id_protected
User           user
ForwardAgent   yes

Host          protected
IdentityFile   ~/.ssh/id_protected
Hostname       protected
User           user
ForwardAgent   yes
ProxyCommand   ssh bastion -W %h:%p

sshd_config堡垒和受保护主机上的文件(通常为)/etc/ssh/sshd_config需要具有,AllowAgentForwarding yes这通常是默认的,但值得检查。如果您确实需要更改,请在保存后重新启动 sshd。

希望 root 和普通用户的私钥相同,但如果不同,请确保.ssh/authorized_keys堡垒主机和受保护主机上的文件中都有相应的公钥。换句话说,堡垒用户的.ssh/authorized_keys文件有一个条目(单行,2 或 3 个空格分隔的字段),其中包含桌面使用的相应私钥的公钥,受保护主机也是如此。

如果您不再拥有公钥,您可以通过以下命令获取:

ssh-keygen -l -f /path/to/private_key

答案2

laptop我在从(问题中未提及 - 我也有pi其他几台与该问题无关的计算机) 到的 shell 时遇到了非常类似的问题desktop- 其设置与 非常相似protected。症状:

user@laptop$ ssh desktop "echo foo" | xxd
00000000: 1b5b 3367 0d1b 4820 2020 201b 4820 2020  .[3g..H    .H
00000010: 201b 4820 2020 201b 4820 2020 201b 4820   .H    .H    .H
00000020: 2020 201b 4820 2020 201b 4820 2020 201b     .H    .H    . 
00000030: 4820 2020 201b 4820 2020 201b 4820 2020  H    .H    .H
00000040: 201b 4820 2020 201b 4820 2020 201b 4820   .H    .H    .H
00000050: 2020 201b 4820 2020 201b 4820 2020 201b     .H    .H    .
00000060: 4820 2020 201b 4820 2020 201b 4820 2020  H    .H    .H
00000070: 201b 4820 2020 201b 4820 2020 0d66 6f6f   .H    .H   .foo
00000080: 0a

只需将行更改tabs -4status --is-interactive; and tabs -4in /home/user/.config/fish/config.fishon即可轻松解决此问题desktop。我不久前已在 上进行了此更改protected

然而 -/home/user/.config/fish/config.fish改变desktop似乎已将登录问题从user@修复desktopuser@ protected。我将其发布为答案,因为我觉得解决方案有些新颖 -https://askubuntu.com/a/976226/427339我在问题中链接的说明我需要检查产生输出的命令protected,我通过改变产生输出的命令解决了这个问题desktop

话虽如此,我还是很乐意将一个答案标记为已接受,该答案可以解释本地机器上的 shell 配置如何以及为何干扰 ssh 管道,但是不是直接 ssh 连接。

直到那时,我才得出初步结论,这tabs是一个有风险的程序,如果将其放在 shell 启动文件中,则应极其谨慎地对待。

相关内容