尝试通过 SSH 进入 CISCO 虚拟路由器时权限被拒绝

tag-icon tag-icon linux networking ssh virtual-network gns3
尝试通过 SSH 进入 CISCO 虚拟路由器时权限被拒绝

我的主要目标是能够模拟一个设备,以便我可以从 Python 应用程序通过 SSH 进入该设备并获取命令的输出。但首先,我尝试从终端手动通过 SSH 进入该设备。

我使用 GNS3 来模拟网络和 CISCO C7200 映像。我使用 Manjaro Linux。我的拓扑:

在此处输入图片描述

路由器配置:

conf t
username admin privilege 15 password 1234
hostname R1
ip domain-name local
crypto key generate rsa
ip ssh version 2
line vty 0 4
transport input ssh
login local
exit
interface fa0/0
ip address 192.168.12.1 255.255.255.0
no shut
end

我正在使用与 WiFi 适配器位于同一子网的 IP 地址来设置接口。显然,我可以正常 ping 它:

$ ping 192.168.12.1
PING 192.168.12.1 (192.168.12.1) 56(84) bytes of data.
64 bytes from 192.168.12.1: icmp_seq=1 ttl=64 time=3.11 ms
64 bytes from 192.168.12.1: icmp_seq=2 ttl=64 time=3.72 ms

但是当尝试通过 SSH 进入时:

$ ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
[email protected]: Permission denied (publickey,password).

这是详细输出:

OpenSSH_9.5p1, OpenSSL 3.1.4 24 Oct 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 2: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: Connecting to 192.168.12.1 [192.168.12.1] port 22.
debug1: Connection established.
debug1: identity file /home/gabriel/.ssh/id_rsa type 0
debug1: identity file /home/gabriel/.ssh/id_rsa-cert type -1
debug1: identity file /home/gabriel/.ssh/id_ecdsa type -1
debug1: identity file /home/gabriel/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/gabriel/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/gabriel/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/gabriel/.ssh/id_ed25519 type 3
debug1: identity file /home/gabriel/.ssh/id_ed25519-cert type -1
debug1: identity file /home/gabriel/.ssh/id_ed25519_sk type -1
debug1: identity file /home/gabriel/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/gabriel/.ssh/id_xmss type -1
debug1: identity file /home/gabriel/.ssh/id_xmss-cert type -1
debug1: identity file /home/gabriel/.ssh/id_dsa type -1
debug1: identity file /home/gabriel/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.5
debug1: Remote protocol version 2.0, remote software version dropbear_2012.55
debug1: compat_banner: no match: dropbear_2012.55
debug1: Authenticating to 192.168.12.1:22 as 'admin'
debug1: load_hostkeys: fopen /home/gabriel/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: (redacted)
debug1: load_hostkeys: fopen /home/gabriel/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.12.1' is known and matches the RSA host key.
debug1: Found key in /home/gabriel/.ssh/known_hosts:4
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /home/gabriel/.ssh/id_ed25519 ED25519 (redacted) agent
debug1: Will attempt key: /home/gabriel/.ssh/id_rsa RSA (redacted) agent
debug1: Will attempt key: /home/gabriel/.ssh/id_ecdsa 
debug1: Will attempt key: /home/gabriel/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/gabriel/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/gabriel/.ssh/id_xmss 
debug1: Will attempt key: /home/gabriel/.ssh/id_dsa 
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/gabriel/.ssh/id_ed25519 ED25519 (redacted) agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/gabriel/.ssh/id_rsa RSA (redacted) agent
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/gabriel/.ssh/id_ecdsa
debug1: Trying private key: /home/gabriel/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/gabriel/.ssh/id_ed25519_sk
debug1: Trying private key: /home/gabriel/.ssh/id_xmss
debug1: Trying private key: /home/gabriel/.ssh/id_dsa
debug1: Next authentication method: password
[email protected]'s password: 
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
[email protected]'s password: 
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
[email protected]'s password: 
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,password).

我的/etc/ssh/ssh_config

# Include drop-in configurations
Include /etc/ssh/ssh_config.d/*.conf

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP no
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected]
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
    KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostKeyAlgorithms +ssh-rsa
#   PubkeyAuthentication yes

尝试在路由器内重新生成 RSA 密钥,并避免升级到 SSH 2.0。没有用。我做错了什么?

答案1

有不同的方法可以将 GNS3 拓扑连接到现实世界。

  1. TAP 您可以创建可直接从 GNS3 运行的系统访问的 TAP 接口,并且可以将这些 TAP 设备添加到桥接器。

  2. 将适配器添加到配置 (NIO_ETHERNET)。这需要足够的权限来访问适配器。如果您以 root 身份运行 GNS3,则此方法有效。

使用 WiFi 适配器可能会带来一些额外的问题。许多 WiFi 适配器在 MAC-ID 不同时都会出现问题。

答案2

事实证明192.168.12.1这实际上是我家路由器的 IP,这就是为什么我可以 ping 它而 SSH 总是失败。

我创建了一个 TAP 接口并将其添加到 GNS3 中的云中,将路由器接口链接到 TAP 接口。这样一切都运行正常。不知何故,在云中使用 WiFi 适配器不起作用。

相关内容