我的网络上有两台笔记本电脑和两个 Raspberry Pi。问题是,我无法从任何一台机器 ssh 到一台 RPi,也无法从该 RPi ssh 到其他机器。两个 Pi 都全新安装了 Raspbian Buster Lite。我可以成功 ping 该 Pi,但是 ssh 连接超时。我的 sshfs 也无法正常工作,正如预期的那样。我尝试清除 ssh、openssh-client 和 openssh-server,然后重新安装它们,但没有成功。调试输出不是很有帮助或描述性:
$ ssh [email protected] -vvv
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "192.168.0.15" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.0.15 [192.168.0.15] port 22.
debug1: connect to address 192.168.0.15 port 22: Connection timed out
ssh: connect to host 192.168.0.15 port 22: Connection timed out
我所有的机器都在 192.168.0.* 上:
我可以做什么来解决这个问题?
@编辑:
我曾经可以从一台笔记本电脑 ssh 进入 RPi,但不能从另一台笔记本电脑上。现在我无法从他们任何一个那里做到这一点。
nmap端口扫描输出:
$ nmap -p 22 192.168.0.15
Starting Nmap 7.60 ( https://nmap.org ) at 2019-12-17 17:05 CET
Nmap scan report for 192.168.0.15
Host is up (0.010s latency).
PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
RPi 上没有运行防火墙。
$ sudo netstat --tcp --programs --listening --numeric
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1335/sshd
tcp6 0 0 :::22 :::* LISTEN 1335/sshd
按要求:
$ sudo ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:ab:f8:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.0.15/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:feab:f8fb/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:fe:ad:ae brd ff:ff:ff:ff:ff:ff
$ sudo ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.15 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::ba27:ebff:feab:f8fb prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:ab:f8:fb txqueuelen 1000 (Ethernet)
RX packets 121039 bytes 19525595 (18.6 MiB)
RX errors 0 dropped 11 overruns 0 frame 0
TX packets 26795 bytes 5950306 (5.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 2 bytes 78 (78.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 78 (78.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ssh 配置文件:
坏掉的圆周率:
$ cat /etc/ssh/ssh_config
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
$ cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
工作圆周率:
$ cat /etc/ssh/ssh_config
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
$ cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
答案1
我仍然无法写评论,但根据nmap 文档:
已过滤意味着防火墙、过滤器或其他网络障碍物阻塞了该端口,使得 Nmap 无法判断该端口是打开还是关闭。关闭的端口没有应用程序侦听,但它们可以随时打开。当端口响应 Nmap 的探测时,它们被分类为未过滤,但 Nmap 无法确定它们是打开还是关闭。当 Nmap 无法确定两个状态中的哪一个描述端口时,它会报告 open|filtered 和 close|filtered 状态组合。
我的猜测是路由器以某种方式阻止了端口,也许正在工作的其他 raspi 是一个错误 - 也许你可以检查这个如果您更改了某些内容或一般情况,请确保重新启动路由器/交换机。
另外,通过更换模块来排除硬件错误可能会有所帮助 - 意味着使用工作模块中的墙壁插座/电源装置(应该有足够的安培数),将带有破坏器的 SD 卡从工作模块中放入不工作模块中,或者以另一种方式周围(有一次 - 网络适配器有缺陷)。
您还使用密码验证或 rsa 文件吗?
您的两个馅饼(工作馅饼和有 ssh 问题的馅饼)上的 /etc/hosts 文件包含哪些内容? (猫/etc/hosts)
另请提供无法工作的 pi 的 /etc/ssh/ssh_config (客户端配置)和 /etc/ssh/sshd_config (ssh 服务器配置)的内容以及与工作树莓派的潜在区别。 (猫/etc/ssh/ssh_config &&猫/etc/sshd_config)
编辑:进一步尝试
由于互联网可以正常工作(互联网通过端口 80、8080 和 443 运行),我们可以在“损坏的”pi 上尝试以下操作:
取消注释
# Port 22/etc/ssh/sshd_conf 并将其更改为Port 80如果这不起作用,请将其更改为Port 443andPort 8080因为该端口应该可用。 (您可以使用 更改它sudo nano /etc/ssh/sshd_conf并使用 安全更改ctrl + x)比
sudo systemctl restart sshd.service在每次更改之间,并尝试在每次更改之间从另一个设备再次连接到损坏的饼图。ssh -p 80 [email protected]
-p 代表端口变量,因为您更改了端口并使用 systemctl 重新启动了适配器(如果您想确定的话,您也可以每次重新启动 pi)。
Port 22如果仍然不起作用,请将端口改回。(仅供参考:如果您有启用了 ssh 的公共服务器,您应该将端口更改为任何不常见的端口,以使随机攻击变得不那么容易,例如端口 2409 或其他端口)您还可以检查守护进程状态 - 如果损坏的饼图的输出上存在错误或“失败”、未加载错误,
sudo systemctl status sshd.service也请发布它们。我想访问硬件并不容易,但如果不是太麻烦的话,我真的建议更换硬件,即使互联网可以工作,而且这听起来很愚蠢——只是为了排除它。我遇到了最疯狂的硬件问题 - 在电气方面,它是信号的级联,一个调制器模块可以做出意想不到的行为 - 多年来得到了最有趣的事情,因为“它有效,而不是无效”使得硬件缺陷确实有可能。
如果是由于端口原因,您的 ssh 应该已经可以通过另一个端口工作。如果没有,进一步的步骤是:您是否在 id 不起作用之前进行了更新(fe sudo apt update && sudo apt update)或安装了任何内容?你能记住任何事情吗?在它不起作用之前最小的改变吗?您最近是否进行了更新(sudo apt update && sudo apt update -y) - 如果没有,请立即执行并重新启动 pi - 有时甚至会有所帮助。
答案2
PORT STATE SERVICE
22/tcp filtered ssh
ssh 以一种或另一种方式被阻止:
- 通过防火墙在 PI 盒上;
- 您使用的智能路由器可能会使用安全功能(ips 隔离或防火墙)来阻止 ssh。