我有两个用户desktop
-root
和user
。我有一个bastion
和一个protected
主机。当我ssh protected
以root
on身份运行时desktop
,我连接正常。当我ssh protected
以user
on身份运行时desktop
,我没有得到任何输出 - 只有一个空白行,就像在等待什么东西一样。但是,user
能直接登录到bastion
主机,然后从那里再登录到protected
主机。
root
和目录user
中的内容相同(.ssh
)#cp -r ~/.ssh /home/user; chown -R user:user /home/user/.ssh
。
主机bastion
似乎转发正常 - 正在运行$(which sshd) -Ddp 10222
(每https://unix.stackexchange.com/a/128910/9583)debug1: channel 0: connected to protected port 22
两者显示的是相同的线。
运行相同的操作protected
会显示相同的输出,直到:
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
第二行不是从 连接时user
显示desktop
。
ssh -vvv protected
就像节目user
中desktop
展示的那样:
OpenSSH_7.9p1, OpenSSL 1.1.1 11 Sep 2018
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 1: Applying options for *
debug1: /home/user/.ssh/config line 10: Applying options for protected
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Executing proxy command: exec ssh bastion -W protected:22
debug1: identity file /home/user/.ssh/id_protected type 0
debug1: identity file /home/user/.ssh/id_protected-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: ssh_exchange_identification: \033[3g
\033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H
SSH-2.0-Op
debug1: ssh_exchange_identification: enSSH_7.9
debug1: ssh_exchange_identification:
debug1: ssh_exchange_identification: 6,diffie-hellman-group14-sha1
debug1: ssh_exchange_identification: aes192-ctr,aes256-ctr,[email protected],[email protected]
debug1: ssh_exchange_identification: 2-256,hmac-sha2-512,hmac-sha1
root
直到第一行为止,所有内容都desktop
相同ssh_exchange_identification
。
我的 ssh 配置是:
Host *
ServerAliveInterval 60
IdentitiesOnly yes
Host bastion
HostName bastion.host
IdentityFile ~/.ssh/id_protected
User user
Host protected
IdentityFile ~/.ssh/id_protected
Hostname protected
User user
ProxyCommand ssh bastion -W %h:%p
我也尝试过https://askubuntu.com/a/976226/427339,但我认为这不适用,原因有二 - 1. 清空我的~/.config/fish/fish.config
没什么区别,2. 我可以登录到同user
一个protected
从 root
在desktop
。
所有三个系统都运行 Arch Linux,protected
并且desktop
都使用fish
shell。
编辑:
user
@bastion
的~/.ssh/config
:
Host *
ServerAliveInterval 60
Host protected
User user
IdentityFile ~/.ssh/id_protected
如上所述,这可以很好地登录受保护的账户。/etc/hosts
有一个protected
指向网络本地 IP 的条目 - 10.xxx
编辑2:
我的问题与这些非常相似:
- https://groups.google.com/d/topic/comp.security.ssh/e1nObaX5ZWg/discussion
- https://groups.google.com/d/topic/comp.security.ssh/_HDV0JXXQA8/discussion
- https://groups.google.com/d/topic/comp.security.ssh/tDgwEDJKGuE/discussion
我还没有尝试过 MTU 解决方法,并且对协议分析器也不够熟悉,无法立即设置并使用它。
编辑3:
添加-v
到ProxyCommand
(现在是ProxyCommand ssh -v bastion -W %h:%p
),完整输出user@desktop$ ssh protected
:
OpenSSH_7.9p1, OpenSSL 1.1.1 11 Sep 2018
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 1: Applying options for *
debug1: /home/user/.ssh/config line 5: Applying options for bastion
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to bastion [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_protected type 0
debug1: identity file /home/user/.ssh/id_protected-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to bastion:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HfDmNOGgLrPLMsnCbyZuEuJapj+T6wrSTTiFSd+37ag
debug1: Host 'bastion' is known and matches the ECDSA host key.
debug1: Found key in /home/users/.ssh/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /home/user/.ssh/id_protected RSA SHA256:iH5F4stK+j+2/qkGJlL5D6TOEHNiwbR4jCzckI7IHaE explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_protected RSA SHA256:iH5F4stK+j+2/qkGJlL5D6TOEHNiwbR4jCzckI7IHaE explicit agent
debug1: Server accepts key: /home/user/.ssh/id_protected RSA SHA256:iH5F4stK+j+2/qkGJlL5D6TOEHNiwbR4jCzckI7IHaE explicit agent
debug1: Authentication succeeded (publickey).
Authenticated to bastion ([x.x.x.x]:22).
debug1: channel_connect_stdio_fwd protected:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Remote: /home/user/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/user/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
--- very long delay; from `root` everything is the same till here, but the next line is `Last login: ...`, etc - a successful connection ---
debug1: channel 0: FORCE input drain
ssh_exchange_identification: Connection closed by remote host
debug1: channel 0: free: direct-tcpip: listening port 0 for protected port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Killed by signal 1.
答案1
由于受保护的主机位于堡垒主机后面,因此您仍然需要通过堡垒主机才能到达它,无论是从根用户或普通用户帐户。
只需将根 ssh 配置复制到用户 ssh 配置就可以了,但要ForwardAgent yes
在每个Host
部分中为根用户和桌面上的普通用户添加一个。
Host *
ServerAliveInterval 60
IdentitiesOnly yes
Host bastion
HostName bastion.host
IdentityFile ~/.ssh/id_protected
User user
ForwardAgent yes
Host protected
IdentityFile ~/.ssh/id_protected
Hostname protected
User user
ForwardAgent yes
ProxyCommand ssh bastion -W %h:%p
sshd_config
堡垒和受保护主机上的文件(通常为)/etc/ssh/sshd_config
需要具有,AllowAgentForwarding yes
这通常是默认的,但值得检查。如果您确实需要更改,请在保存后重新启动 sshd。
希望 root 和普通用户的私钥相同,但如果不同,请确保.ssh/authorized_keys
堡垒主机和受保护主机上的文件中都有相应的公钥。换句话说,堡垒用户的.ssh/authorized_keys
文件有一个条目(单行,2 或 3 个空格分隔的字段),其中包含桌面使用的相应私钥的公钥,受保护主机也是如此。
如果您不再拥有公钥,您可以通过以下命令获取:
ssh-keygen -l -f /path/to/private_key
答案2
laptop
我在从(问题中未提及 - 我也有pi
其他几台与该问题无关的计算机) 到的 shell 时遇到了非常类似的问题desktop
- 其设置与 非常相似protected
。症状:
user@laptop$ ssh desktop "echo foo" | xxd
00000000: 1b5b 3367 0d1b 4820 2020 201b 4820 2020 .[3g..H .H
00000010: 201b 4820 2020 201b 4820 2020 201b 4820 .H .H .H
00000020: 2020 201b 4820 2020 201b 4820 2020 201b .H .H .
00000030: 4820 2020 201b 4820 2020 201b 4820 2020 H .H .H
00000040: 201b 4820 2020 201b 4820 2020 201b 4820 .H .H .H
00000050: 2020 201b 4820 2020 201b 4820 2020 201b .H .H .
00000060: 4820 2020 201b 4820 2020 201b 4820 2020 H .H .H
00000070: 201b 4820 2020 201b 4820 2020 0d66 6f6f .H .H .foo
00000080: 0a
只需将行更改tabs -4
为status --is-interactive; and tabs -4
in /home/user/.config/fish/config.fish
on即可轻松解决此问题desktop
。我不久前已在 上进行了此更改protected
。
然而 -/home/user/.config/fish/config.fish
改变desktop
似乎已将登录问题从user
@修复desktop
为user
@ protected
。我将其发布为答案,因为我觉得解决方案有些新颖 -https://askubuntu.com/a/976226/427339我在问题中链接的说明我需要检查产生输出的命令在protected
,我通过改变产生输出的命令解决了这个问题在desktop
。
话虽如此,我还是很乐意将一个答案标记为已接受,该答案可以解释本地机器上的 shell 配置如何以及为何干扰 ssh 管道,但是不是直接 ssh 连接。
直到那时,我才得出初步结论,这tabs
是一个有风险的程序,如果将其放在 shell 启动文件中,则应极其谨慎地对待。