无密码 ssh 反向隧道突然要求输入密码？

2024-9-26 • tag-icon

这让我困惑不已，希望有人可以澄清一下。

我有一个本地服务器 LOCALSRV 和远程服务器（Ubuntu 20.04）REMOTESRV。

在本地服务器上，我建立了一个反向 ssh 隧道，通过运行以下命令将 LOCALSRV 端口 5555 转发到 REMOTESRV 端口 7777autossh在启动时运行，将 LOCALSRV 端口 5555 转发到 REMOTESRV 端口 7777，使用无密码密钥认证：

/opt/sbin/autossh -M 51501 -f \
my_tnl_user@REMOTESRV \
-p 51500 -NT -i /path/to/mykey_id_rsa \
-o "ExitOnForwardFailure=yes" \
-o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" \
-R 7777:127.0.0.1:5555

当我昨晚开始这个时，一切都运行正常；所以sudo journalctl -t sshd从那个时间（大约 18 点）开始 REMOTESRV 报告：

Nov 18 18:09:51 REMOTESRV sshd[29058]: Disconnected from user my_tnl_user LOCALSRV_PUB_IP port 48109
Nov 18 18:09:51 REMOTESRV sshd[28990]: pam_unix(sshd:session): session closed for user my_tnl_user

Nov 18 18:17:49 REMOTESRV sshd[29127]: Accepted publickey for my_tnl_user from LOCALSRV_PUB_IP port 50641 ssh2: R>
Nov 18 18:17:49 REMOTESRV sshd[29127]: pam_unix(sshd:session): session opened for user my_tnl_user by (uid=0)

足够好了；所以我今天早上检查了所有东西，但什么都没用。LOCALSRVautossh上的日志信息不太丰富（我忘了使用AUTOSSH_DEBUG=1）：

...
2021/11/18 18:17:49 autossh[13408]: starting ssh (count 1)
2021/11/18 18:17:49 autossh[13408]: ssh child pid is 13409
2021/11/18 22:58:06 autossh[13408]: timeout polling to accept read connection
2021/11/18 22:58:06 autossh[13408]: port down, restarting ssh
2021/11/18 22:58:06 autossh[13408]: starting ssh (count 2)
2021/11/18 22:58:06 autossh[13408]: ssh child pid is 17556
2021/11/18 22:58:07 autossh[13408]: ssh exited with error status 255; restarting ssh
2021/11/18 22:58:07 autossh[13408]: starting ssh (count 3)
2021/11/18 22:58:07 autossh[13408]: ssh child pid is 17557
2021/11/18 22:58:07 autossh[13408]: ssh exited with error status 255; restarting ssh

# this then repeats all the way to end, with differing PIDs:

2021/11/18 22:58:07 autossh[13408]: starting ssh (count 4)
2021/11/18 22:58:07 autossh[13408]: ssh child pid is 17559
2021/11/18 22:58:07 autossh[13408]: ssh exited with error status 255; restarting ssh
...

因此，我无法判断在 22:58 点可能发生了什么，导致“超时轮询接受读取连接”和“端口关闭，重新启动 ssh”（这些字符串在该日志中唯一出现）。

因此，我研究了sudo journalctl -t sshdREMOTESRV（为便于阅读添加了换行符）：

...
Nov 18 18:17:49 REMOTESRV sshd[29127]: Accepted publickey for my_tnl_user from LOCALSRV_PUB_IP port 50641 ssh2: R>
Nov 18 18:17:49 REMOTESRV sshd[29127]: pam_unix(sshd:session): session opened for user my_tnl_user by (uid=0)

Nov 18 22:58:06 REMOTESRV sshd[29920]: Accepted publickey for my_tnl_user from LOCALSRV_PUB_IP port 57231 ssh2: R>
Nov 18 22:58:06 REMOTESRV sshd[29920]: pam_unix(sshd:session): session opened for user my_tnl_user by (uid=0)
Nov 18 22:58:07 REMOTESRV sshd[30003]: error: bind [127.0.0.1]:51501: Address already in use
Nov 18 22:58:07 REMOTESRV sshd[30003]: error: channel_setup_fwd_listener_tcpip: cannot listen to port: 51501
Nov 18 22:58:07 REMOTESRV sshd[30003]: error: bind [127.0.0.1]:7777: Address already in use
Nov 18 22:58:07 REMOTESRV sshd[30003]: error: channel_setup_fwd_listener_tcpip: cannot listen to port: 7777
Nov 18 22:58:07 REMOTESRV sshd[29920]: pam_unix(sshd:session): session closed for user my_tnl_user
Nov 18 22:58:07 REMOTESRV sshd[30004]: Accepted publickey for my_tnl_user from LOCALSRV_PUB_IP port 57232 ssh2: R>
Nov 18 22:58:07 REMOTESRV sshd[30004]: pam_unix(sshd:session): session opened for user my_tnl_user by (uid=0)
...

好的，所以在这里我们可以看到“bind：地址已经在使用中”和“错误：channel_setup_fwd_listener_tcpip：无法监听端口” - 我不知道为什么会发生这种情况; 我发现最接近的是这个：

就我的情况而言，出现此行为是由于两台计算机同时连接到具有相同 autossh 监控端口 (-M) 的服务器导致的。

https://stackoverflow.com/questions/39757129/reverse-ssh-tunnel-fails-to-bind-to-port-when-tunnel-is-torn-down-and-restarted

如果客户端在服务器端连接终止之前重新连接，则可能会出现新的 ssh 连接处于活动状态，但没有端口转发的情况。为了避免这种情况，您需要ExitOnForwardFailure在客户端使用关键字。

呃，但是我已经用过它了，不是吗？

现在，这是最棘手的部分——在 REMOTESRV 上的上述日志片段之后sudo journalctl -t sshd，这会重复一段时间：

...
Nov 18 22:58:07 REMOTESRV sshd[30004]: pam_unix(sshd:session): session closed for user my_tnl_user
Nov 18 22:58:07 REMOTESRV sshd[30066]: Accepted publickey for my_tnl_user from LOCALSRV_PUB_IP port 57233 ssh2: R>
Nov 18 22:58:07 REMOTESRV sshd[30066]: pam_unix(sshd:session): session opened for user my_tnl_user by (uid=0)
Nov 18 22:58:08 REMOTESRV sshd[30127]: error: bind [127.0.0.1]:51501: Address already in use
Nov 18 22:58:08 REMOTESRV sshd[30127]: error: channel_setup_fwd_listener_tcpip: cannot listen to port: 51501
Nov 18 22:58:08 REMOTESRV sshd[30127]: error: bind [127.0.0.1]:7777: Address already in use
Nov 18 22:58:08 REMOTESRV sshd[30127]: error: channel_setup_fwd_listener_tcpip: cannot listen to port: 7777
...

...然后，它像这样结束（为便于阅读添加了空格）：

...
Nov 18 22:59:11 REMOTESRV sshd[30500]: pam_unix(sshd:session): session closed for user my_tnl_user
Nov 18 23:00:01 REMOTESRV sshd[30562]: Accepted publickey for my_tnl_user from LOCALSRV_PUB_IP port 57263 ssh2: R>
Nov 18 23:00:01 REMOTESRV sshd[30562]: pam_unix(sshd:session): session opened for user my_tnl_user by (uid=0)
Nov 18 23:00:01 REMOTESRV sshd[30623]: error: bind [127.0.0.1]:51501: Address already in use
Nov 18 23:00:01 REMOTESRV sshd[30623]: error: channel_setup_fwd_listener_tcpip: cannot listen to port: 51501
Nov 18 23:00:01 REMOTESRV sshd[30623]: error: bind [127.0.0.1]:7777: Address already in use
Nov 18 23:00:01 REMOTESRV sshd[30623]: error: channel_setup_fwd_listener_tcpip: cannot listen to port: 7777
Nov 18 23:00:01 REMOTESRV sshd[30562]: pam_unix(sshd:session): session closed for user my_tnl_user

Nov 18 23:01:13 REMOTESRV sshd[30624]: Failed password for my_tnl_user from LOCALSRV_PUB_IP port 57286 ssh2
Nov 18 23:01:13 REMOTESRV sshd[30624]: Failed password for my_tnl_user from LOCALSRV_PUB_IP port 57286 ssh2
Nov 18 23:01:13 REMOTESRV sshd[30624]: Connection closed by authenticating user my_tnl_user LOCALSRV_PUB_IP port >

Nov 18 23:02:51 REMOTESRV sshd[30627]: Failed password for my_tnl_user from LOCALSRV_PUB_IP port 57294 ssh2
Nov 18 23:02:51 REMOTESRV sshd[30627]: Failed password for my_tnl_user from LOCALSRV_PUB_IP port 57294 ssh2
Nov 18 23:02:52 REMOTESRV sshd[30627]: Connection closed by authenticating user my_tnl_user LOCALSRV_PUB_IP port >
...

因此，REMOTESRV 突然开始要求输入用户 my_tnl_user 的 ssh 密码 - 即使最初已将其设置为无密码密钥认证登录，确实工作正常？！

这到底是怎么回事？

事情是这样的：我实际上无权访问 LOCALSRV，但autossh仍然在那里运行，并尝试连接到服务器。

我确实在今天早上（11 月 19 日）重新启动了 REMOTESRV，并且autossh已经在 LOCALSRV 上尝试连接它多次 - 但每次都失败，因为它尝试使用密钥认证，而 REMOTESRV 一直要求输入密码，并且认证失败。

有人能解释一下发生了什么吗？我能在 REMOTESRV 上做什么吗？如果可以，该怎么做？让它再次接受来自 LOCALSRV 的密钥认证，而无需输入密码，这样我就能再次拥有一个可用的 ssh 反向隧道了？！

相关内容