SSH 在一台计算机上无法连接，但在其他计算机上可以连接

问题

Ubuntu 18.04我有一个运行着的外部 VPS 服务器openssh-server 7.6p1。我可以从许多不同的网络（除了一个特定客户端）通过 ssh 连接到此服务器。这个特定客户端在 上运行Ubuntu 16.04着openssh 7.2p2。

相关配置及日志

• 服务器 SSHD 配置 /$ cat /etc/ssh/sshd_config | egrep -v "^$|^#"

Port 41232
LogLevel DEBUG3
AuthorizedKeysFile  .ssh/authorized_keys
Subsystem   sftp    /usr/libexec/sftp-server

• 客户端 SSH 配置 /$cat /etc/ssh/ssh_config | egrep -v "^$|^#"

Host *
    StrictHostKeyChecking no
    SendEnv LANG LC_*
    NoHostAuthenticationForLocalhost yes

• SSH命令（服务器IP地址改变）

ssh -vvv -F /dev/null [email protected] -p 41232

产生以下日志：

OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /dev/null
debug2: resolving "12.215.24.089" port 41232
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 12.215.24.089 [12.215.24.089] port 41232.
debug1: Connection established.
debug1: identity file /home/saikat/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/saikat/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/saikat/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
ssh_exchange_identification: read: Connection reset by peer

/var/log/auth.log连接重置期间服务器上显示以下内容：

Jul 23 19:47:49 rohini sshd[3336]: debug3: fd 5 is not O_NONBLOCK
Jul 23 19:47:49 rohini sshd[3336]: debug1: Forked child 3725.
Jul 23 19:47:49 rohini sshd[3336]: debug3: send_rexec_state: entering fd = 8 config len 197
Jul 23 19:47:49 rohini sshd[3336]: debug3: ssh_msg_send: type 0
Jul 23 19:47:49 rohini sshd[3336]: debug3: send_rexec_state: done
Jul 23 19:47:49 rohini sshd[3725]: debug3: oom_adjust_restore
Jul 23 19:47:49 rohini sshd[3725]: debug1: Set /proc/self/oom_score_adj to 0
Jul 23 19:47:49 rohini sshd[3725]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Jul 23 19:47:49 rohini sshd[3725]: debug1: inetd sockets after dupping: 3, 3
Jul 23 19:47:49 rohini sshd[3725]: Connection from 124.56.232.23 port 10400 on 12.215.24.089 port 41232
Jul 23 19:47:49 rohini sshd[3725]: debug1: Client protocol version 2.0; client software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
Jul 23 19:47:49 rohini sshd[3725]: debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10 pat OpenSSH* compat 0x04000000
Jul 23 19:47:49 rohini sshd[3725]: debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
Jul 23 19:47:49 rohini sshd[3725]: debug2: fd 3 setting O_NONBLOCK
Jul 23 19:47:49 rohini sshd[3725]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox
Jul 23 19:47:49 rohini sshd[3725]: debug2: Network child is on pid 3726
Jul 23 19:47:49 rohini sshd[3725]: debug3: preauth child monitor started
Jul 23 19:47:49 rohini sshd[3725]: debug3: privsep user:group 109:65534 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: permanently_set_uid: 109/65534 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug3: send packet: type 20 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Jul 23 19:47:49 rohini sshd[3725]: Connection reset by 124.56.232.23 port 10400 [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: do_cleanup [preauth]
Jul 23 19:47:49 rohini sshd[3725]: debug1: monitor_read_log: child log fd closed
Jul 23 19:47:49 rohini sshd[3725]: debug3: mm_request_receive entering
Jul 23 19:47:49 rohini sshd[3725]: debug1: do_cleanup
Jul 23 19:47:49 rohini sshd[3725]: debug1: Killing privsep child 3726
Jul 23 19:47:49 rohini sshd[3725]: debug1: audit_event: unhandled event 12

• tcpdump -i any -n -vvv src 124.56.232.23SSH 尝试期间：

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:35:00.268722 IP (tos 0x0, ttl 52, id 17296, offset 0, flags [DF], proto TCP (6), length 60)
    124.56.232.23.10600 > 12.215.24.089.41232: Flags [S], cksum 0x1f12 (correct), seq 406486862, win 64240, options [mss 1460,sackOK,TS val 822851129 ecr 0,nop,wscale 7], length 0
11:35:00.276593 IP (tos 0x0, ttl 52, id 17297, offset 0, flags [DF], proto TCP (6), length 52)
    124.56.232.23.10600 > 12.215.24.089.41232: Flags [.], cksum 0x9554 (correct), seq 406486863, ack 2004122924, win 502, options [nop,nop,TS val 822851138 ecr 1494508470], length 0
11:35:00.277541 IP (tos 0x0, ttl 52, id 17298, offset 0, flags [DF], proto TCP (6), length 94)
    124.56.232.23.10600 > 12.215.24.089.41232: Flags [P.], cksum 0x6ecc (correct), seq 0:42, ack 1, win 502, options [nop,nop,TS val 822851139 ecr 1494508470], length 42
11:35:00.297736 IP (tos 0x0, ttl 117, id 18028, offset 0, flags [none], proto TCP (6), length 40)
    124.56.232.23.10600 > 12.215.24.089.41232: Flags [R], cksum 0x07df (correct), seq 406486905, win 24862, length 0
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel

粘贴箱

我已尝试/检查过

• 重启服务器
• 重启客户端
• /etc/hosts.deny服务器上没有条目
• 强制使用 IPV4，但没有帮助ssh -F /dev/null -4 [email protected] -p 41232
• 尝试使用标志-i /dev/null
• 一种可能性是 MTU 碎片，这里讨论得很好。我尝试了讨论中的几个答案，但没有解决问题。具体来说：
  • 我试过添加密码、MAC、HostKeyAlgorithms 和其他标志在/etc/ssh/ssh_config
  • 尝试将客户端的 MTU 更改为 576、1000 和 1280ens3。服务器上的 MTU为 1500。
  • 还尝试IPQoS lowdelay throughput添加/etc/ssh/ssh_config
• 我也无法通过 PuTTY 连接到服务器。

防火墙

继评论从@肯斯特，这里分别是客户端和服务端的软件防火墙。

• 服务器设置 /sudo ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
41232/tcp                  ALLOW IN    Anywhere                   # OpenSSH
80/tcp (Nginx HTTP)        ALLOW IN    Anywhere                  
443/tcp (Nginx HTTPS)      ALLOW IN    Anywhere                  
1313/tcp                   ALLOW IN    Anywhere                   # Hugo Server
41232/tcp (v6)             ALLOW IN    Anywhere (v6)              # OpenSSH
80/tcp (Nginx HTTP (v6))   ALLOW IN    Anywhere (v6)             
443/tcp (Nginx HTTPS (v6)) ALLOW IN    Anywhere (v6)             
1313/tcp (v6)              ALLOW IN    Anywhere (v6)              # Hugo Server

• 客户端设置 /sudo ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

参考资料（类似问题及其解决方案）

• 同一局域网中的一台计算机也存在同样的问题
• SSH 因 MTU 而挂起
• 其他主题： [1] [2] [3] [4]