通过中间主机进行的 SSH 仅在 myuser@mymac 上失败,但在其他地方可以运行

通过中间主机进行的 SSH 仅在 myuser@mymac 上失败,但在其他地方可以运行

我无法使用 MacBook 上的用户通过 ssh 连接到我的某个数据中心节点。这是最近出现的问题,大约几周前它还运行正常。

奇怪的是,这只影响我电脑上的用户,但我能够从以下位置建立连接:

  • 同一台机器上的不同用户,使用相同的 ssh 密钥,并且没有任何 .ssh/config 规则。
  • 不同的服务器,运行 macos 或 ubuntu,具有相同或不同的 ssh 密钥。

使用我电脑上的用户名和相同的密钥,我可以:

  • 连接到网关主机
  • 使用 VPN 直接连接到节点(不幸的是,这不是一个长期的解决方案)

这个错误让我很困惑。你能帮我定位问题吗?

查看日志,与网关的连接已建立,但不知何故无法连接到节点。在客户端:

⌘ ~ ❯ ssh -v -J gatekeeper@gateway ubuntu@node -i ~/.ssh/id_rsa 
OpenSSH_7.3p1, LibreSSL 2.4.1
[...]
debug1: Authentication succeeded (publickey).
Authenticated to gateway ([35.156.248.245]:22).
debug1: channel_connect_stdio_fwd node:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
channel 0: open failed: connect failed: Connection timed out
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host

在网关端:

admin@gateway:~$ grep -e "\[7669\]" -e "\[7739\]" /var/log/auth.log
Mar 13 11:01:20 gateway sshd[7669]: Set /proc/self/oom_score_adj to 0
Mar 13 11:01:20 gateway sshd[7669]: rexec line 32: Deprecated option PermitBlacklistedKeys
Mar 13 11:01:20 gateway sshd[7669]: Connection from <laptop-out-ip> port 62113 on <gateway-ip> port 22
Mar 13 11:01:20 gateway sshd[7669]: Postponed publickey for gatekeeper from <laptop-out-ip> port 62113 ssh2 [preauth]
Mar 13 11:01:20 gateway sshd[7669]: Accepted publickey for gatekeeper from <laptop-out-ip> port 62113 ssh2: RSA 8d:7e:9c:53:11:c9:4d:b3:67:7b:ae:04:03:8f:e2:71
Mar 13 11:01:20 gateway sshd[7669]: pam_unix(sshd:session): session opened for user gatekeeper by (uid=0)
Mar 13 11:01:20 gateway sshd[7669]: User child is on pid 7739
Mar 13 11:03:27 gateway sshd[7739]: error: connect_to <node-ip> port 22: failed.
Mar 13 11:03:28 gateway sshd[7739]: Connection closed by <laptop-out-ip>
Mar 13 11:03:28 gateway sshd[7739]: Transferred: sent 2252, received 2864 bytes
Mar 13 11:03:28 gateway sshd[7739]: Closing connection to <laptop-out-ip> port 62113
Mar 13 11:03:28 gateway sshd[7669]: pam_unix(sshd:session): session closed for user gatekeeper

在节点端,日志中没有条目。

网关处的ssd_config:

# ssh service configuration

AcceptEnv
AddressFamily inet
AllowAgentForwarding yes
AllowGroups
AllowTcpForwarding no
AllowUsers gatekeeper
AuthorizedKeysFile %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
ClientAliveCountMax 3
ClientAliveInterval 15
Compression delayed
DenyGroups
DenyUsers
GSSAPIAuthentication no
GatewayPorts no
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostbasedAuthentication no
KerberosAuthentication no
ListenAddress 0.0.0.0:22
LogLevel VERBOSE
LoginGraceTime 60
MaxAuthTries 6
MaxSessions 10
MaxStartups 30
PasswordAuthentication no
PermitBlacklistedKeys no
PermitRootLogin no
PermitTunnel no
PermitUserEnvironment no
PidFile /var/run/sshd.pid
PrintLastLog yes
PrintMotd no
Protocol 2
PubkeyAuthentication yes
RSAAuthentication no
RhostsRSAAuthentication no
StrictModes yes
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UseLogin no
UsePAM yes
UsePrivilegeSeparation yes
X11Forwarding no

Match User gatekeeper
AllowTcpForwarding yes
AllowAgentForwarding no
X11Forwarding no

答案1

最后,我终于能够找到问题的根源。我可以通过不获取 iterm2 shell 集成或仅将其更新到最新版本来消除问题。这可能与使用 fish shell 有关。

我没有进一步深入研究这个问题,如果有人感兴趣,请告诉我。

答案2

error: connect_to <node-ip> port 22: failed.

这看起来好像端口转发已被禁用或受配置PermitOpen选项限制sshd。请确保允许,如果不允许,请sshd_config发帖gateway

答案3

我能够从同一台 MacBook 和不同的用户使用相同的命令、按键等进行连接

也许你需要运行这个与新用户(在你的主目录中):

ssh-keygen -t rsa

ssh-copy-id -i .ssh/id_rsa.pub gatekeeper@gateway 

ssh-copy-id -i .ssh/id_rsa.pub ubuntu@node

答案4

我遇到了几乎同样的问题,并且在我的例子ssh -v target

(... while connecting to jumphost.example.com:)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:REDACTED /home/USER/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 277
debug1: Authentication succeeded (publickey).
Authenticated to jumphost.example.com ([1.2.3.4]:22).
debug1: channel_connect_stdio_fwd target:1234
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
channel 0: open failed: connect failed: Connection refused
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host

因此类似于debug1: pledge: network。之后我看到hostkey-00而不是keepalivechannel 0: open failed: connect failed: Connection refused

就我而言,是我的输入错误,.ssh/config我错误地将其中的Port“of”Host target设置1234为了正确的端口。

ProxyJump不幸的是,或的诊断功能ssh -J严重不足。不过,该功能本身非常棒!

相关内容