我无法使用 MacBook 上的用户通过 ssh 连接到我的某个数据中心节点。这是最近出现的问题,大约几周前它还运行正常。
奇怪的是,这只影响我电脑上的用户,但我能够从以下位置建立连接:
- 同一台机器上的不同用户,使用相同的 ssh 密钥,并且没有任何 .ssh/config 规则。
- 不同的服务器,运行 macos 或 ubuntu,具有相同或不同的 ssh 密钥。
使用我电脑上的用户名和相同的密钥,我可以:
- 连接到网关主机
- 使用 VPN 直接连接到节点(不幸的是,这不是一个长期的解决方案)
这个错误让我很困惑。你能帮我定位问题吗?
查看日志,与网关的连接已建立,但不知何故无法连接到节点。在客户端:
⌘ ~ ❯ ssh -v -J gatekeeper@gateway ubuntu@node -i ~/.ssh/id_rsa
OpenSSH_7.3p1, LibreSSL 2.4.1
[...]
debug1: Authentication succeeded (publickey).
Authenticated to gateway ([35.156.248.245]:22).
debug1: channel_connect_stdio_fwd node:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
debug1: client_input_global_request: rtype [email protected] want_reply 1
channel 0: open failed: connect failed: Connection timed out
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host
在网关端:
admin@gateway:~$ grep -e "\[7669\]" -e "\[7739\]" /var/log/auth.log
Mar 13 11:01:20 gateway sshd[7669]: Set /proc/self/oom_score_adj to 0
Mar 13 11:01:20 gateway sshd[7669]: rexec line 32: Deprecated option PermitBlacklistedKeys
Mar 13 11:01:20 gateway sshd[7669]: Connection from <laptop-out-ip> port 62113 on <gateway-ip> port 22
Mar 13 11:01:20 gateway sshd[7669]: Postponed publickey for gatekeeper from <laptop-out-ip> port 62113 ssh2 [preauth]
Mar 13 11:01:20 gateway sshd[7669]: Accepted publickey for gatekeeper from <laptop-out-ip> port 62113 ssh2: RSA 8d:7e:9c:53:11:c9:4d:b3:67:7b:ae:04:03:8f:e2:71
Mar 13 11:01:20 gateway sshd[7669]: pam_unix(sshd:session): session opened for user gatekeeper by (uid=0)
Mar 13 11:01:20 gateway sshd[7669]: User child is on pid 7739
Mar 13 11:03:27 gateway sshd[7739]: error: connect_to <node-ip> port 22: failed.
Mar 13 11:03:28 gateway sshd[7739]: Connection closed by <laptop-out-ip>
Mar 13 11:03:28 gateway sshd[7739]: Transferred: sent 2252, received 2864 bytes
Mar 13 11:03:28 gateway sshd[7739]: Closing connection to <laptop-out-ip> port 62113
Mar 13 11:03:28 gateway sshd[7669]: pam_unix(sshd:session): session closed for user gatekeeper
在节点端,日志中没有条目。
网关处的ssd_config:
# ssh service configuration
AcceptEnv
AddressFamily inet
AllowAgentForwarding yes
AllowGroups
AllowTcpForwarding no
AllowUsers gatekeeper
AuthorizedKeysFile %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
ClientAliveCountMax 3
ClientAliveInterval 15
Compression delayed
DenyGroups
DenyUsers
GSSAPIAuthentication no
GatewayPorts no
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostbasedAuthentication no
KerberosAuthentication no
ListenAddress 0.0.0.0:22
LogLevel VERBOSE
LoginGraceTime 60
MaxAuthTries 6
MaxSessions 10
MaxStartups 30
PasswordAuthentication no
PermitBlacklistedKeys no
PermitRootLogin no
PermitTunnel no
PermitUserEnvironment no
PidFile /var/run/sshd.pid
PrintLastLog yes
PrintMotd no
Protocol 2
PubkeyAuthentication yes
RSAAuthentication no
RhostsRSAAuthentication no
StrictModes yes
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UseLogin no
UsePAM yes
UsePrivilegeSeparation yes
X11Forwarding no
Match User gatekeeper
AllowTcpForwarding yes
AllowAgentForwarding no
X11Forwarding no
答案1
最后,我终于能够找到问题的根源。我可以通过不获取 iterm2 shell 集成或仅将其更新到最新版本来消除问题。这可能与使用 fish shell 有关。
我没有进一步深入研究这个问题,如果有人感兴趣,请告诉我。
答案2
error: connect_to <node-ip> port 22: failed.
这看起来好像端口转发已被禁用或受配置PermitOpen
选项限制sshd
。请确保允许,如果不允许,请sshd_config
发帖gateway
。
答案3
我能够从同一台 MacBook 和不同的用户使用相同的命令、按键等进行连接
也许你需要运行这个与新用户(在你的主目录中):
ssh-keygen -t rsa
ssh-copy-id -i .ssh/id_rsa.pub gatekeeper@gateway
ssh-copy-id -i .ssh/id_rsa.pub ubuntu@node
答案4
我遇到了几乎同样的问题,并且在我的例子ssh -v target
中
(... while connecting to jumphost.example.com:)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:REDACTED /home/USER/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 277
debug1: Authentication succeeded (publickey).
Authenticated to jumphost.example.com ([1.2.3.4]:22).
debug1: channel_connect_stdio_fwd target:1234
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
channel 0: open failed: connect failed: Connection refused
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host
因此类似于debug1: pledge: network
。之后我看到hostkey-00
而不是keepalive
和channel 0: open failed: connect failed: Connection refused
。
就我而言,是我的输入错误,.ssh/config
我错误地将其中的Port
“of”Host target
设置1234
为了正确的端口。
ProxyJump
不幸的是,或的诊断功能ssh -J
严重不足。不过,该功能本身非常棒!