SSH 被神秘阻止

tag-icon tag-icon networking ssh vpn
SSH 被神秘阻止

我的 SSH 服务器在大学防火墙后面工作。

我连接到我的大学 VPN,并且一直能够通过 SSH 进入它。最近我使用 VSCode 通过 SSH 对其进行远程工作。连接断开了几次,我无法再登录。甚至 ping 也没有返回任何内容。

奇怪的是:如果我通过 VPN 接入,然后通过 SSH 进入我工作时的第二个工作站,然后从该工作站 SSH 进入原始工作站,它就可以正常工作。

因此,看起来我的 IP 被工作站阻止了。但我检查了一下:

sudo iptables -L INPUT -v -n | less

它显示:

Chain INPUT (policy ACCEPT 401K packets, 599M bytes)
 pkts bytes target     prot opt in     out     source               destination         
(END)

所以这不是我的工作站?发生了什么事?我还能检查什么吗?

更新

ssh -vvv 的输出:

>>ssh -vvv [email protected]

OpenSSH_9.3p2, LibreSSL 3.3.6
debug1: Reading configuration data /Users/me/.ssh/config
debug1: /Users/me/.ssh/config line 1: Applying options for 172.18.2.28
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 172.18.2.28 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/me/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/me/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 172.18.2.28 [172.18.2.28] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: connect to address 172.18.2.28 port 22: Operation timed out
ssh: connect to host 172.18.2.28 port 22: Operation timed out

更新 2

检查sudo vi +26 /etc/ssh/sshd_config。唯一未注释的行是:

Include /etc/ssh/sshd_config.d/*.conf
Port 22
ChallengeResponseAuthentication no
usePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

文件夹/etc/ssh/sshd_config.d是空的。

检查tail /var/log/auth.log

Nov 14 15:16:15 COMP sshd[113124]: pam_unix(sshd:session): session opened for user dorien by (uid=0)
Nov 14 15:16:15 COMP systemd-logind[756]: New session 191 of user dorien.
Nov 14 15:16:28 COMP sudo:   dorien : TTY=pts/1 ; PWD=/home/dorien ; USER=root ; COMMAND=/usr/bin/vi +26 /etc/ssh/sshd_config
Nov 14 15:16:28 COMP sudo: pam_unix(sudo:session): session opened for user root by dorien(uid=0)
Nov 14 15:17:01 COMP CRON[113225]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 14 15:17:01 COMP CRON[113225]: pam_unix(cron:session): session closed for user root
Nov 14 15:18:27 COMP sudo: pam_unix(sudo:session): session closed for user root
Nov 14 15:19:23 COMP sudo:   dorien : TTY=pts/1 ; PWD=/etc/ssh/sshd_config.d ; USER=root ; COMMAND=/usr/bin/ls
Nov 14 15:19:23 COMP sudo: pam_unix(sudo:session): session opened for user root by dorien(uid=0)
Nov 14 15:19:23 COMP sudo: pam_unix(sudo:session): session closed for user root

这并没有记录我在 15:21 进行的超时 ssh 登录尝试。

更新 3

ssh -vvv -o IPQoS=none [email protected]

输出超时:

OpenSSH_9.3p2, LibreSSL 3.3.6
debug1: Reading configuration data /Users/dorien_herremans/.ssh/config
debug1: /Users/dorien_herremans/.ssh/config line 1: Applying options for 172.18.2.28
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 172.18.2.28 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/dorien_herremans/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/dorien_herremans/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 172.18.2.28 [172.18.2.28] port 22.
debug1: connect to address 172.18.2.28 port 22: Operation timed out
ssh: connect to host 172.18.2.28 port 22: Operation timed out

答案1

虽然我没有直接遇到过这个问题,但在线搜索发现这个问题与 QoS(服务质量)有关。

查看ssh -vvv输出中的此行:

debug3: set_sock_tos set socket 3 IP_TOS 0x48

因此,解决方案是使用以下命令运行 SSH 命令-o IPQoS=none

ssh -o IPQoS=none [email protected]

看看禁用 QoS 是否可以解决问题。

如果可行,请考虑添加此配置以~/.ssh/config使所有主机的设置更加永久:

Host *
  IPQoS=none

或者将其具体到您遇到问题的服务器:

Host 172.18.2.28
  IPQoS=none

相关内容