请帮我解决这个问题:
在我看来nftablesServer-3 (Debian-10) 中的阻塞SSH登录(从 macOS 客户端)。
与我的以下所有信息相关的额外说明:Ubuntu、Kali、Tails 等发行版基于 Debian GNU/Linux。我正在使用 Debian GNU/Linux 10 Buster(三台服务器有 Debian-10,还有两台 Debian-10 客户端/工作站/笔记本电脑)。下面显示的用户“erik”是 Debian 中的一般用户帐户。我还使用 macOS Sierra 10.12.6 MacBook 电脑,并且提到的用户“macUsr”是“admin”(又名“管理员”)类型的特权 macOS 用户帐户。
在 Server-3 计算机中启动 nftables:
root@SRVR3:~ # systemctl start nftables.service
错误/问题:在 macOS(SSH 客户端计算机)终端中显示nftables是在/已启用:
macOSbook:~ macUsr$ /usr/bin/ssh -vvv SRVR3_root_sshd
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/macUsr/.ssh/config
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 522: Applying options for SRVR3_root_sshd
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 755: Applying options for *
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug2: resolving "SRVR3.IPv4.ADRS" port 5022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to SRVR3.IPv4.ADRS [SRVR3.IPv4.ADRS] port 5022.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 17829 ms remain after connect
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3 type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_NT_eu-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10
debug1: match: OpenSSH_7.9p1 Debian-10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to SRVR3.IPv4.ADRS:5022 as 'root'
debug3: rekey after 104857600 bytes, 3600 seconds
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,ext-info-c
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: [email protected],zlib,none
debug2: compression stoc: [email protected],zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group18-sha512
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 4106/8192
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:BuDY...IfNg
debug3: verify_host_key_dns
debug1: skipped DNS lookup for numerical hostname
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug1: Host '[SRVR3.IPv4.ADRS]:5022' is known and matches the RSA host key.
debug1: Found key in /Users/macUsr/.ssh/known_hosts:11
debug2: bits set: 4175/8192
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 6553600 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 6553600 blocks
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_NT_eu (0x7fe9d8c1f8b0), explicit, agent
debug2: key: (0x7fe9d8d01ac0), agent
debug2: key: [email protected] (0x7fe9d8d02690), agent
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr (0x7fe9d8d01410), explicit
debug2: key: /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr (0x7fe9d8d014d0), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
Authentication failed.
在我看来,在“ssh-userauth”期间,错误“认证失败。”发生。
在 Server-3 计算机中关闭(数据包过滤)防火墙:
root@SRVR3:~ # systemctl stop nftables.service
这些代码显示在 macOS(SSH 客户端)终端中nftables是离开/残疾人:
macOSbook:~ macUsr$ /usr/bin/ssh -vvv SRVR3_root_sshd
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/macUsr/.ssh/config
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 522: Applying options for SRVR3_root_sshd
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 755: Applying options for *
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug2: resolving "SRVR3.IPv4.ADRS" port 5022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to SRVR3.IPv4.ADRS [SRVR3.IPv4.ADRS] port 5022.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 17830 ms remain after connect
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3 type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10
debug1: match: OpenSSH_7.9p1 Debian-10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to SRVR3.IPv4.ADRS:5022 as 'root'
debug3: rekey after 104857600 bytes, 3600 seconds
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,ext-info-c
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: [email protected],zlib,none
debug2: compression stoc: [email protected],zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group18-sha512
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 4121/8192
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:BuDY...IfNg
debug3: verify_host_key_dns
debug1: skipped DNS lookup for numerical hostname
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug1: Host '[SRVR3.IPv4.ADRS]:5022' is known and matches the RSA host key.
debug1: Found key in /Users/macUsr/.ssh/known_hosts:11
debug2: bits set: 4153/8192
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 6553600 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 6553600 blocks
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3 (0x7ff42f411ff0), explicit, agent
debug2: key: (0x7ff42f412950), agent
debug2: key: [email protected] (0x7ff42f413430), agent
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr (0x7ff42f50e900), explicit
debug2: key: /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr (0x7ff42f50ea30), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,hostbased
debug3: start over, passed a different list publickey,hostbased
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 2071
debug2: input_userauth_pk_ok: fp SHA256:s+We...4zeM
debug3: sign_and_send_pubkey: RSA SHA256:s+We...4zeM
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
Authenticated to SRVR3.IPv4.ADRS ([SRVR3.IPv4.ADRS]:5022).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env ...
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env ...
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Linux SRVR3 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 15 01:20:03 2019 from cpe-NNN-NNN-NNN-NNN.socal.res.rr.com
root@SRVR3:~#
因此,在上面您可以清楚地看到,当 nftables 关闭时,通过使用强 SSH 密钥与 Server-3 进行 SSH 登录会立即生效(大约 7 秒内)。
但当 nftables 防火墙打开/启用时,我想要+需要通过 SSH 登录服务器。
上面显示的行号将与显示的配置文件不匹配,因为我已经删除了许多注释/注释行,以从公共视图中删除不太必要的部分。
现在,macOSbook(客户端)电脑端配置/设置信息:
用户的 SSH 配置和 SSH 密钥对文件及其权限和所有权:
macOSbook:~ macUsr$ cd ~/.ssh/
macOSbook:.ssh macUsr$ ls -lGA
total 608
-rw-r--r--@ 1 macUsr staff 6148 Jul 25 18:36 .DS_Store
drwx------ 5 macUsr admin 170 Aug 8 23:54 allow_keys
-rw-------@ 1 macUsr admin 57140 Aug 15 04:08 config
drwx------ 2 macUsr admin 68 Jul 25 18:36 disallow_keys
-rw------- 1 macUsr admin 1766 Feb 28 2016 github_rsa
-rw-r-----@ 1 macUsr admin 399 Feb 28 2016 github_rsa.pub
-rw------- 1 macUsr admin 419 Jul 25 05:51 id_ed25519_key_MB_macUsr
-rw-r----- 1 macUsr admin 104 Jul 25 05:51 id_ed25519_key_MB_macUsr.pub
-rw------- 1 macUsr admin 419 Jul 25 05:50 id_ed25519_key_MB_macUsr_to_SRVR1
-rw-r----- 1 macUsr admin 104 Jul 25 05:50 id_ed25519_key_MB_macUsr_to_SRVR1.pub
-rw------- 1 macUsr admin 419 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR2
-rw-r----- 1 macUsr admin 104 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR2.pub
-rw------- 1 macUsr admin 419 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR3
-rw-r----- 1 macUsr admin 104 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR3.pub
-rw------- 1 macUsr admin 12603 Jul 25 05:43 id_rsa-16kb_key_MB_macUsr
-rw-r----- 1 macUsr admin 2796 Jul 25 05:43 id_rsa-16kb_key_MB_macUsr.pub
-rw------- 1 macUsr admin 12603 Jul 25 05:21 id_rsa-16kb_key_MB_macUsr_to_SRVR1
-rw-r----- 1 macUsr admin 2796 Jul 25 05:21 id_rsa-16kb_key_MB_macUsr_to_SRVR1.pub
-rw------- 1 macUsr admin 12603 Jul 25 05:30 id_rsa-16kb_key_MB_macUsr_to_SRVR2
-rw-r----- 1 macUsr admin 2796 Jul 25 05:30 id_rsa-16kb_key_MB_macUsr_to_SRVR2.pub
-rw------- 1 macUsr admin 12603 Jul 25 05:38 id_rsa-16kb_key_MB_macUsr_to_SRVR3
-rw-r----- 1 macUsr admin 2796 Jul 25 05:38 id_rsa-16kb_key_MB_macUsr_to_SRVR3.pub
-rw------- 1 macUsr admin 6363 Jul 25 05:49 id_rsa-8kb_key_MB_macUsr
-rw-r----- 1 macUsr admin 1428 Jul 25 05:49 id_rsa-8kb_key_MB_macUsr.pub
-rw------- 1 macUsr admin 6363 Jul 25 05:44 id_rsa-8kb_key_MB_macUsr_to_SRVR1
-rw-r----- 1 macUsr admin 1428 Jul 25 05:44 id_rsa-8kb_key_MB_macUsr_to_SRVR1.pub
-rw------- 1 macUsr admin 6363 Jul 25 05:47 id_rsa-8kb_key_MB_macUsr_to_SRVR2
-rw-r----- 1 macUsr admin 1428 Jul 25 05:47 id_rsa-8kb_key_MB_macUsr_to_SRVR2.pub
-rw------- 1 macUsr admin 6367 Jul 25 05:48 id_rsa-8kb_key_MB_macUsr_to_SRVR3
-rw-r----- 1 macUsr admin 1428 Jul 25 05:48 id_rsa-8kb_key_MB_macUsr_to_SRVR3.pub
drwx------ 5 macUsr admin 170 Aug 8 23:54 keys_from_others
-rw------- 1 macUsr admin 9467 Aug 8 19:00 known_hosts
SSH 配置(系统范围)文件及其权限和所有权:
macOSbook:~ macUsr$ cd /etc/ssh
macOSbook:ssh macUsr$ ls -lGA
total 120
drwxr-x--- 7 macUsr wheel 238 Aug 7 18:19 bak_2019-08-07
-rw-r----- 1 root wheel 553185 Jan 23 2017 moduli
-rw-r----- 1 root wheel 4546 Aug 15 03:46 ssh_config
-rw-r----- 1 root wheel 1676 Jul 30 2016 ssh_config~orig
-rw-r----- 1 root wheel 5333 Aug 10 00:08 sshd_config
-rw-r----- 1 root wheel 4161 Jun 3 2015 sshd_config~previous
我只使用 16kbit RSA 密钥。
我无法直接在此处粘贴(配置文件的)相关代码,StackOverFlow/StackExchange 在 30k 后溢出!
因此将代码/配置/等粘贴到 github gist 上,并在此处共享链接:
这是 macOS(SSH 客户端)计算机的〜/ .ssh /配置文件。
这是 Server-3(SSH 服务器)计算机的/etc/ssh/sshd_config文件。
这是 Server-3(SSH 服务器)计算机的/etc/nftables.conf文件。
Server-3“root”用户的 SSH 配置和 SSH 密钥对身份文件及其权限和所有权位于 ~/.ssh/ 文件夹中:
root@SRVR3:~# ls -aLAlist --color=auto ~/.ssh/
total 100
393217 4 drwx------ 9 root root 4096 Aug 16 03:42 ..
393227 4 drwx------ 2 root root 4096 Aug 8 18:53 .
1711181 4 -rw-r----- 1 root root 2781 Aug 8 18:22 id_rsa_key_SRVR1_To_SRVR3.pub
1711180 4 -rw-r----- 1 root root 2781 Aug 8 18:22 id_rsa_key_SRVR2_To_SRVR3.pub
1711181 4 -rw-r----- 1 root root 2781 Aug 8 18:22 id_rsa_key_DEB1_To_SRVR3.pub
1711180 4 -rw-r----- 1 root root 2781 Aug 8 18:22 id_rsa_key_DEB2_To_SRVR3.pub
1711179 4 -rw-r----- 1 root root 2796 Aug 8 18:22 id_rsa-16kb_key_MB_macUsr_to_SRVR3.pub
1711178 4 -rw-r----- 1 root root 2781 Aug 8 18:21 id_rsa_key_SRVR3.pub
1711175 16 -rw------- 1 root root 12717 Aug 8 18:21 id_rsa_key_SRVR3_To_SRVR1
1711176 4 -rw-r----- 1 root root 2781 Aug 8 18:21 id_rsa_key_SRVR3_To_SRVR1.pub
1711171 16 -rw------- 1 root root 12717 Aug 8 18:21 id_rsa_key_SRVR3_To_SRVR2
1711174 4 -rw-r----- 1 root root 2781 Aug 8 18:21 id_rsa_key_SRVR3_To_SRVR2.pub
1711177 16 -rw------- 1 root root 12717 Aug 8 18:21 id_rsa_key_SRVR3
1705032 4 -rw------- 1 root root 399 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR2
1705033 4 -rw-r----- 1 root root 89 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR2.pub
1705030 4 -rw------- 1 root root 399 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR1
1705031 4 -rw-r----- 1 root root 89 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR1.pub
393228 12 -rw------- 1 root root 10103 Aug 2 18:06 authorized_keys
393223 8 -rw------- 1 root root 4300 Jul 25 22:24 known_hosts
Server-3 /etc/ssh/ 文件夹的 SSH 配置和 SSH 主机密钥对文件及其权限和所有权:
root@SRVR3:~# ls -aLAlist --color=auto /etc/ssh/
total 760
1704605 4 drwxr-xr-x 6 root root 4096 Aug 14 22:38 .
1703937 4 drwxr-xr-x 96 root root 4096 Aug 14 22:31 ..
1704958 20 -rw-r----- 1 root root 17775 Aug 14 19:10 sshd_config
1704606 36 -rw-r--r-- 1 root root 33098 Aug 7 23:01 ssh_config
1704954 4 -rw-r----- 1 root root 2781 Jul 23 06:00 ssh_host_rsa_key_SRVR3.pub
1704927 16 -rw------- 1 root root 12717 Jul 23 06:00 ssh_host_rsa_key_SRVR3
1704291 4 -rw------- 1 root root 399 Jul 23 05:58 ssh_host_ed25519_key_SRVR3
1704920 4 -rw-r----- 1 root root 89 Jul 23 05:58 ssh_host_ed25519_key_SRVR3.pub
1704047 4 drwxr-x--- 2 root root 4096 Jul 23 05:57 bak
1704625 552 -rw-r----- 1 root root 565189 Apr 8 03:13 moduli
请帮助查找问题并修复它,以便 macOS/任何 ssh 客户端在 nftables 启用/打开时可以登录到 SSH 服务器。
编辑:在 Server-3 中添加文件权限 + 所有权列表。
答案1
使用大型 SSH 密钥和使用 nftables 防火墙时的 SSH 连接,显然 SSH 需要稍长的时间来处理和通过各种组件,因此整个 SSH 身份验证过程需要更多时间,但我指定/配置的时间设置不够。
如果未启用/打开 nftables,从旧 macOS 计算机到 Server-3 的 SSH 连接通常大约需要大约 10 秒。 (因此,当 nftables 未加载/运行时,我的初始时间设置为 20 或 18 秒就足够了)。
但是,当 nftables 在 SSH 服务器中加载并打开/启用时,旧的 macOS 计算机(以及服务器端 nftables 网络数据包过滤活动等)需要额外的 15 到 20 秒才能完成 SSH 身份验证过程。
这解决方案是: 增加超时/间隔/活动时间长度值(ServerAliveInterval 的+ServerAliveCountMax 和 ClientAliveInterval+最大客户端存活数),或者,删除超时设置(使用默认值), 如下所示:
删除/禁用(或变成注释)这些行〜/ .ssh /配置macOS SSH 客户端计算机中的文件:
# ConnectTimeout 30
# ConnectTimeout 15
# ConnectTimeout 18
# ConnectionAttempts 1
更改了 ~/.ssh/config 文件中的以下设置/行:
来自:
ServerAliveInterval 20
ServerAliveCountMax 1
以上设置仅使连接保持活动状态 20 x 1 = 20 秒
到:
ServerAliveInterval 18
ServerAliveCountMax 2
上述设置使连接保持活动状态 18 x 2 = 36 秒
并更改了以下设置/行/etc/ssh/sshd_configDebian-10 服务器计算机中的文件:
来自:
ClientAliveInterval 30
ClientAliveCountMax 1
以上设置仅使连接保持活动状态 30 x 1 = 30 秒
到:
ClientAliveInterval 18
ClientAliveCountMax 2
上述设置使连接保持活动状态 18 x 2 = 36 秒
来自 (macOS) 的记录信息:man ssh_config
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are being
sent, ssh will disconnect from the server, terminating the session.
It is important to note that the use of server alive messages is
very different from TCPKeepAlive (below). The server alive messages
are sent through the encrypted channel and therefore will not be
spoofable. The TCP keepalive option enabled by TCPKeepAlive is
spoofable. The server alive mechanism is valuable when the client
or server depend on knowing when a connection has become inactive.
The default value is 3. If, for example, ServerAliveInterval (see
below) is set to 15 and ServerAliveCountMax is left at the default,
if the server becomes unresponsive, ssh will disconnect after
approximately 45 seconds.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been
received from the server, ssh(1) will send a message through the
encrypted channel to request a response from the server.
The default is 0, indicating that these messages will not be sent
to the server.
ConnectionAttempts
Specifies the number of tries (one per second) to make before exiting.
The argument must be an integer. This may be useful in scripts if
the connection sometimes fails. The default is 1.
ConnectTimeout
Specifies the timeout (in seconds) used when connecting to the SSH
server, instead of using the default system TCP timeout. This value
is used only when the target is down or really unreachable, not
when it refuses the connection.
来自(Debian Server-3)的记录信息:man sshd_config
ClientAliveCountMax
Sets the number of client alive messages which may be sent without
sshd(8) receiving any messages back from the client. If this threshold
is reached while client alive messages are being sent, sshd will
disconnect the client, terminating the session. It is important to
note that the use of client alive messages is very different from
TCPKeepAlive. The client alive messages are sent through the
encrypted channel and therefore will not be spoofable. The TCP
keepalive option enabled by TCPKeepAlive is spoofable.
The client alive mechanism is valuable when the client or server
depend on knowing when a connection has become inactive.
The default value is 3. If ClientAliveInterval is set to 15, and
ClientAliveCountMax is left at the default, unresponsive SSH clients
will be disconnected after approximately 45 seconds.
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been
received from the client, sshd(8) will send a message through the
encrypted channel to request a response from the client. The default
is 0, indicating that these messages will not be sent to the client.
通过上面几段中提到的更正设置,现在即使 nftables 处于 ON/enabled 状态,任何 SSH 客户端计算机都可以与 SSH 服务器连接。目前,在 nftables 防火墙打开/启用的情况下,通过 SSH 连接大约需要 35 到 45 秒。
我将不得不进一步微调这些设置/时间值,因为我想在 20 到 40 秒内重新创建另一个 SSH 隧道(在 Debian ssh- 之间)。客户端和 Debian ssh 服务器)。