直到几天前,我才能够连接到我的远程 ssh 服务器,使用 corkscrew 通过公司代理建立隧道连接,配置如下:
ssh -v [email protected] -p 443 -o "ProxyCommand corkscrew corp-proxy 8080 xxx.xxx.xxx.xxx 443"
由于公司代理限制,我已经将 ssh 服务器端口设置为 443。现在,代理端发生了一些变化,我收到此错误:
OpenSSH_6.2p2 Ubuntu-6ubuntu0.4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Executing proxy command: exec corkscrew corp-proxy 8080 xxx.xxx.xxx.xxx 443
debug1: identity file /home/pe/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.4
debug1: permanently_drop_suid: 1000
ssh_exchange_identification: Connection closed by remote host
我还尝试安装一个新的 debian 虚拟机,因为我怀疑我在某种程度上被列入黑名单(我的 IP 是固定的,并通过 pc 主机名从 dhcp 分配)。
在新的虚拟机中,我的 IP 是由 dhcp 随机分配的,如果我尝试连接,我会得到不同的响应:
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec corkscrew corp-proxy 8080 xxx.xxx.xxx.xxx 443
debug1: permanently_drop_suid: 1000
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4
debug1: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug3: put_host_port: [xxx.xxx.xxx.xxx]:443
debug1: SSH2_MSG_KEXINIT sent
Connection closed by UNKNOWN
正如我在 auth.log 文件中看到的那样,此连接到达了 ssh 服务器,但这是响应:
Did not receive identification string from xxx.xxx.xxx.xxx
新的代理设置可能会阻止我吗?关于如何让 ssh 再次工作有什么建议吗?
编辑:尝试了几种方法,openvpn,apache重定向..没有任何效果。 Apache 重定向也给出同样的错误:
telnet corp-proxy 8080
Trying xxx.xxx.xxx.xxx...
Connected to corp-proxy.
Escape character is '^]'.
CONNECT myserver:443 HTTP/1.0
HTTP/1.0 200 Connection Established
Date: Wed, 29 Oct 2014 16:12:06 GMT
Via: 1.1 corp-proxy
CONNECT myserver:1443 HTTP/1.0
Connection closed by foreign host.
在这种情况下,myserver 在 443 端口上有 apache,并且当 apache 将端口 1443 上的连接重定向到 ssh 服务器时,该端口被代理接受。我被踢出了。
答案1
找到了解决方案以及可能的原因。
我怀疑代理端已在 443 端口上启用了某种深度数据包检查 (DPI),因此代理只能接受“真正的”https 请求,所有其他请求都会重置连接。
解决方案是使用一个名为隧道能够将 https 请求包装在 SSL 容器中,因此代理端与普通 https 请求没有区别(例如浏览 https 站点)
Stunnel 必须安装在服务器端和客户端,并且可以配置为使用代理服务器来发出请求。
互联网上有很多关于如何安装和配置它的教程。