SSH 在一台计算机上无法连接,但在其他计算机上可以连接

SSH 在一台计算机上无法连接,但在其他计算机上可以连接

问题

Ubuntu 18.04我有一个运行着的外部 VPS 服务器openssh-server 7.6p1。我可以从许多不同的网络(除了一个特定客户端)通过 ssh 连接到此服务器。这个特定客户端在 上运行Ubuntu 16.04openssh 7.2p2

相关配置及日志

  • 服务器 SSHD 配置 /$ cat /etc/ssh/sshd_config | egrep -v "^$|^#"
Port 41232
LogLevel DEBUG3
AuthorizedKeysFile  .ssh/authorized_keys
Subsystem   sftp    /usr/libexec/sftp-server
  • 客户端 SSH 配置 /$cat /etc/ssh/ssh_config | egrep -v "^$|^#"
Host *
    StrictHostKeyChecking no
    SendEnv LANG LC_*
    NoHostAuthenticationForLocalhost yes
  • SSH命令(服务器IP地址改变)
ssh -vvv -F /dev/null [email protected] -p 41232

产生以下日志:

OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /dev/null
debug2: resolving "12.215.24.089" port 41232
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 12.215.24.089 [12.215.24.089] port 41232.
debug1: Connection established.
debug1: identity file /home/saikat/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/saikat/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
ssh_exchange_identification: read: Connection reset by peer

/var/log/auth.log连接重置期间服务器上显示以下内容:

Jul 23 19:47:49 rohini sshd[3336]: debug3: fd 5 is not O_NONBLOCK
Jul 23 19:47:49 rohini sshd[3336]: debug1: Forked child 3725.
Jul 23 19:47:49 rohini sshd[3336]: debug3: send_rexec_state: entering fd = 8 config len 197
Jul 23 19:47:49 rohini sshd[3336]: debug3: ssh_msg_send: type 0
Jul 23 19:47:49 rohini sshd[3336]: debug3: send_rexec_state: done
Jul 23 19:47:49 rohini sshd[3725]: debug3: oom_adjust_restore
Jul 23 19:47:49 rohini sshd[3725]: debug1: Set /proc/self/oom_score_adj to 0
Jul 23 19:47:49 rohini sshd[3725]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Jul 23 19:47:49 rohini sshd[3725]: debug1: inetd sockets after dupping: 3, 3
Jul 23 19:47:49 rohini sshd[3725]: Connection from 124.56.232.23 port 10400 on 12.215.24.089 port 41232
Jul 23 19:47:49 rohini sshd[3725]: debug1: Client protocol version 2.0; client software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
Jul 23 19:47:49 rohini sshd[3725]: debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10 pat OpenSSH* compat 0x04000000
Jul 23 19:47:49 rohini sshd[3725]: debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
Jul 23 19:47:49 rohini sshd[3725]: debug2: fd 3 setting O_NONBLOCK
Jul 23 19:47:49 rohini sshd[3725]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox
Jul 23 19:47:49 rohini sshd[3725]: debug2: Network child is on pid 3726
Jul 23 19:47:49 rohini sshd[3725]: debug3: preauth child monitor started
Jul 23 19:47:49 rohini sshd[3725]: debug3: privsep user:group 109:65534 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: permanently_set_uid: 109/65534 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug3: send packet: type 20 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Jul 23 19:47:49 rohini sshd[3725]: Connection reset by 124.56.232.23 port 10400 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: do_cleanup [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: monitor_read_log: child log fd closed
Jul 23 19:47:49 rohini sshd[3725]: debug3: mm_request_receive entering
Jul 23 19:47:49 rohini sshd[3725]: debug1: do_cleanup
Jul 23 19:47:49 rohini sshd[3725]: debug1: Killing privsep child 3726
Jul 23 19:47:49 rohini sshd[3725]: debug1: audit_event: unhandled event 12
  • tcpdump -i any -n -vvv src 124.56.232.23SSH 尝试期间:
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:35:00.268722 IP (tos 0x0, ttl 52, id 17296, offset 0, flags [DF], proto TCP (6), length 60)
    124.56.232.23.10600 > 12.215.24.089.41232: Flags [S], cksum 0x1f12 (correct), seq 406486862, win 64240, options [mss 1460,sackOK,TS val 822851129 ecr 0,nop,wscale 7], length 0
11:35:00.276593 IP (tos 0x0, ttl 52, id 17297, offset 0, flags [DF], proto TCP (6), length 52)
    124.56.232.23.10600 > 12.215.24.089.41232: Flags [.], cksum 0x9554 (correct), seq 406486863, ack 2004122924, win 502, options [nop,nop,TS val 822851138 ecr 1494508470], length 0
11:35:00.277541 IP (tos 0x0, ttl 52, id 17298, offset 0, flags [DF], proto TCP (6), length 94)
    124.56.232.23.10600 > 12.215.24.089.41232: Flags [P.], cksum 0x6ecc (correct), seq 0:42, ack 1, win 502, options [nop,nop,TS val 822851139 ecr 1494508470], length 42
11:35:00.297736 IP (tos 0x0, ttl 117, id 18028, offset 0, flags [none], proto TCP (6), length 40)
    124.56.232.23.10600 > 12.215.24.089.41232: Flags [R], cksum 0x07df (correct), seq 406486905, win 24862, length 0
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel

粘贴箱

我已尝试/检查过

防火墙

评论@肯斯特,这里分别是客户端和服务端的软件防火墙。

  • 服务器设置 /sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
41232/tcp                  ALLOW IN    Anywhere                   # OpenSSH
80/tcp (Nginx HTTP)        ALLOW IN    Anywhere                  
443/tcp (Nginx HTTPS)      ALLOW IN    Anywhere                  
1313/tcp                   ALLOW IN    Anywhere                   # Hugo Server
41232/tcp (v6)             ALLOW IN    Anywhere (v6)              # OpenSSH
80/tcp (Nginx HTTP (v6))   ALLOW IN    Anywhere (v6)             
443/tcp (Nginx HTTPS (v6)) ALLOW IN    Anywhere (v6)             
1313/tcp (v6)              ALLOW IN    Anywhere (v6)              # Hugo Server
  • 客户端设置 /sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

参考资料(类似问题及其解决方案)

相关内容