使用 CentOS 7.9.2009 服务器,我尝试使用带有 v2 的客户端将 ssh v1 连接到具有 SSH v1(无法升级,我预料到了)的 Cisco 路由器。然后,我修改了 ssh_config 文件以允许 v1 版本的 ssh,方法是将 #Protocol 2 行的值更改为 Protocol 2,1。
当我尝试连接但收到此未说话的错误时:
ssh [email protected] -vvv
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "10.180.20.1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.180.20.1 [10.180.20.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/identity type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/identity-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/audit/.ssh/id_ed25519-cert type -1
debug1: Remote protocol version 1.5, remote software version Cisco-1.25
debug1: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000
debug1: Local version string SSH-1.5-OpenSSH_7.4
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.180.20.1:22 as 'test'
debug1: Waiting for server public key.
Connection reset by 10.180.20.1 port 22
如果有人知道要进行哪种故障排除才能找出问题所在,请提前致谢。目前请记住,我无法访问该路由器,我可以在可以访问的 CentOS 机器上进行测试。
我还尝试连接指定版本 v1:ssh -v1 [email protected] -vvv
答案1
评论太长了。一般来说:
调试服务器问题并非(仅)从客户端完成。不仅要报告客户端问题(输出ssh -vvv
),还要显示相关的服务器配置和设置、服务器日志和/或错误消息。换句话说:“您的思科设备告诉您什么?”
思科的随机手册https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html
建议show ssh
,show ip ssh
并show crypto key mypubkey rsa
作为路由器上的第一步调试步骤。
当你说:“然后我修改了我的 ssh_config 文件” 我想知道为什么您要更改全局配置,/etc/ssh/ssh_config
而不是对个人配置进行任何修改,~/ssh/config
这是典型的做法。
# For example ˜/.ssh/config
# Use custom settings when connecting to 10.180.20.1 from: https://serverfault.com/a/1125849/37681
Host 10.180.20.1
KexAlgorithms +diffie-hellman-group14-sha1
MACs +hmac-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
Protocol 2,1
我猜测您的客户在以下情况下违约:
debug1: Waiting for server public key.
是相关的调试消息:这表明您的客户端没有收到服务器公钥。
我的第一个猜测是,您忘记正确配置 Cisco 设备并且没有生成正确的 ssh 密钥。