我环顾四周并转发端口 22,这样我就可以从外部 ssh 到我的家庭网络应该很容易,但是我遇到了问题,似乎无法通过谷歌搜索解决这个问题。
我怀疑我错过了在完成端口转发之前需要完成的一些事情。
脚步
ssh 到 self 来证明本地 ip 是正确的:
external-access:
λ ssh [email protected]
([email protected]) Password:
Last login: Wed Jun 7 19:35:53 2023 from 192.168.0.209
~:
λ exit
logout
Connection to 192.168.0.209 closed.
获取外网ip:
external-access:
λ curl -s https://ipinfo.io/ip
82.4.76.15
使用隧道进行端口转发,这会挂起:
external-access:
λ ssh -L 192.168.0.209:22:82.4.76.15:80 -N 127.0.0.1
([email protected]) Password:
bind [192.168.0.209]:22: Permission denied
channel_setup_fwd_listener_tcpip: cannot listen to port: 22
Could not request local forwarding.
详细:
external-access:
λ ssh -vvL 192.168.0.209:22:82.4.76.15:80 -N 127.0.0.1
OpenSSH_9.3p1, OpenSSL 1.1.1t 7 Feb 2023
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 127.0.0.1 is address
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /Users/iridium/.ssh/id_rsa type -1
debug1: identity file /Users/iridium/.ssh/id_rsa-cert type -1
debug1: identity file /Users/iridium/.ssh/id_ecdsa type -1
debug1: identity file /Users/iridium/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/iridium/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/iridium/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/iridium/.ssh/id_ed25519 type -1
debug1: identity file /Users/iridium/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/iridium/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/iridium/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/iridium/.ssh/id_xmss type -1
debug1: identity file /Users/iridium/.ssh/id_xmss-cert type -1
debug1: identity file /Users/iridium/.ssh/id_dsa type -1
debug1: identity file /Users/iridium/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1
debug1: compat_banner: match: OpenSSH_8.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 127.0.0.1:22 as 'iridium'
debug1: load_hostkeys: fopen /Users/iridium/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:oSqYqE4r3wfOyhMupdNyfEadeUKiQ+tO5jhYWehhQII
debug1: load_hostkeys: fopen /Users/iridium/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '127.0.0.1' is known and matches the ED25519 host key.
debug1: Found key in /Users/iridium/.ssh/known_hosts:5
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/iridium/.ssh/id_rsa
debug1: Will attempt key: /Users/iridium/.ssh/id_ecdsa
debug1: Will attempt key: /Users/iridium/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/iridium/.ssh/id_ed25519
debug1: Will attempt key: /Users/iridium/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/iridium/.ssh/id_xmss
debug1: Will attempt key: /Users/iridium/.ssh/id_dsa
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/iridium/.ssh/id_rsa
debug1: Trying private key: /Users/iridium/.ssh/id_ecdsa
debug1: Trying private key: /Users/iridium/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/iridium/.ssh/id_ed25519
debug1: Trying private key: /Users/iridium/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/iridium/.ssh/id_xmss
debug1: Trying private key: /Users/iridium/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
([email protected]) Password:
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 0
Authenticated to 127.0.0.1 ([127.0.0.1]:22) using "keyboard-interactive".
debug1: Local connections to 192.168.0.209:22 forwarded to remote address 82.4.76.15:80
debug1: Local forwarding listening on 192.168.0.209 port 22.
bind [192.168.0.209]:22: Permission denied
channel_setup_fwd_listener_tcpip: cannot listen to port: 22
Could not request local forwarding.
debug2: fd 3 setting TCP_NODELAY
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: client_input_hostkeys: searching /Users/iridium/.ssh/known_hosts for 127.0.0.1 / (none)
debug1: client_input_hostkeys: searching /Users/iridium/.ssh/known_hosts2 for 127.0.0.1 / (none)
debug1: client_input_hostkeys: hostkeys file /Users/iridium/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update
debug1: pledge: network
^CKilled by signal 2.
另一个命令进行端口转发,这也挂起:
external-access:
λ ssh -p 22 [email protected]
^C
external-access:
λ ssh -vvp 22 [email protected]
OpenSSH_9.3p1, OpenSSL 1.1.1t 7 Feb 2023
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 82.4.76.15 is address
debug1: Connecting to 82.4.76.15 [82.4.76.15] port 22.
^C
答案1
ssh -L 192.168.0.209:22:82.4.76.15:80 -N 127.0.0.1会尝试在 192.168.0.209 的端口 22 中设置 TCP 代理,但该端口可能已经具有sshdmacOS 的端口,并且正如 Marcus Müller 所说,您可能需要 root 权限才能将隧道绑定到 1024 以下的本地端口。
然后,任何连接到 192.168.0.209:22 的程序都会将其连接转发到sshdSSH 连接的另一端,并使用常规 TCP 从那里连接到 IP 地址 82.4.76.15 的端口 80。所以这个端口转发是出境:它不能允许来自网络外部的入站访问。
如果您希望通过 SSH 端口转发允许入站访问,则需要远程转发 ( -R)。你还需要一些主机A)您可以使用 SSH 访问,并且b)有一个可以通过互联网访问的端口。
因此,举例来说,如果您可以通过 SSH 连接到可访问 Internet 的主机 12.34.56.78,并且它允许您设置端口转发,并且其端口 2222 未受到 Internet 防火墙的限制,您可以执行以下操作:
ssh -R 2222:127.0.0.1:22 -N 12.34.56.78
然后,您运行此命令的计算机必须在家庭网络中保持开机状态,以保持端口转发。
然后,在互联网上的另一台计算机上,您可以ssh -p 2222 12.34.56.78连接到您在其中设置 SSH 转发的家庭网络上的主机。12.34.56.78 端口 2222 中的代理将通过 SSH 隧道将传入连接传递到您运行第一个命令的主机ssh,SSH 客户端会将连接传递到 127.0.0.1 上的端口 22,允许您使用 IP 地址 12.34.56.78 和端口 2222 通过 SSH 连接到您自己的系统。
如果您想要临时端口转发,使用 SSH 就可以了和拥有可通过公共 IP 地址使用的 SSH 访问主机。但是,如果 82.4.76.15 是您的互联网路由器的互联网端地址(即该 IP 地址列在您的路由器配置中),则配置入站端口转发到你的路由器不需要可通过 SSH 访问的外部主机。
但是,如果您的路由器的互联网侧接口只有一个非公共IP地址,那么您就落后了运营商级 NAT如果不首先使用出站连接通过某些外部主机建立隧道,就无法获得入站连接,就像上面描述的那样ssh -R。
答案2
我所要做的就是在路由器设置页面上打开端口 22,现在我可以通过外部 ssh(使用连接到 4G 而不是 wifi 的手机和计算机的外部 IP 地址)连接到我的本地计算机,而无需使用任何 cmd。
脚步:
登录路由器页面,为本机ip打开22端口。
然后:
# on local machine find external ip
curl -s https://ipinfo.io/ip
# on device not connected to wifi
ssh <user>@<output of cmd above>