我正在对运行 SecureCRT v8.1.4 的 Windows 客户端与运行 OpenSSH v8.7 的 Oracle Linux 9 服务器之间的 SSH 连接进行故障排除。客户端连接后立即断开连接,并告诉我:
客户端已与服务器断开连接。原因:服务器的主机密钥验证失败。这可能意味着您所连接的服务器正在冒充其自称的服务器。无法建立连接。
它甚至不提供接受密钥。
这种行为似乎发生在所有 OL9 服务器上。客户端可以正常连接到运行 OpenSSH v8.0 的 Oracle Linux 8 服务器。
根据从 sshd 日志中提取的以下调试信息,看起来主机密钥实际上没有问题,但之后出现了问题——可能是 KEX 协商。我尝试将加密策略从 DEFAULT 改为 LEGACY,但没有任何改善。我的搜索找到了很多关于如何使 SecureCRT 和 OpenSSH 协同工作的信息,但到目前为止,没有任何信息可以帮助解决这个特定的错误。
有问题的 SecureCRT 是旧版本,可能不会升级。用户确实有解决方法。
调试日志
Mar 29 12:03:38 scasyslog04 sshd[44631]: debug3: fd 4 is not O_NONBLOCK
Mar 29 12:03:38 scasyslog04 sshd[44631]: debug1: Forked child 44647.
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: oom_adjust_restore
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: Set /proc/self/oom_score_adj to 0
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
Mar 29 12:03:38 scasyslog04 sshd[44631]: debug3: send_rexec_state: entering fd = 7 config len 3642
Mar 29 12:03:38 scasyslog04 sshd[44631]: debug3: ssh_msg_send: type 0
Mar 29 12:03:38 scasyslog04 sshd[44631]: debug3: send_rexec_state: done
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: inetd sockets after dupping: 4, 4
Mar 29 12:03:38 scasyslog04 sshd[44647]: Connection from 10.222.217.253 port 28442 on 10.222.75.42 port 22 rdomain ""
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: Local version string SSH-2.0-OpenSSH_8.7
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: Remote protocol version 2.0, remote software version SecureCRT_8.1.4 (x64 build 1443)
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: compat_banner: no match: SecureCRT_8.1.4 (x64 build 1443)
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: fd 4 setting O_NONBLOCK
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: Network child is on pid 44648
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: preauth child monitor started
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: SELinux support enabled [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: ssh_selinux_change_context: setting context from 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to 'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: privsep user:group 74:74 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: permanently_set_uid: 74/74 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 42 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: monitor_read: checking request 42
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 43
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive_expect: entering, type 43 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: send packet: type 20 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: receive packet: type 20 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: SSH2_MSG_KEXINIT received [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: local server KEXINIT proposal [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: KEX algorithms: gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: compression ctos: none,[email protected] [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: compression stoc: none,[email protected] [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: languages ctos: [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: languages stoc: [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: first_kex_follows 0 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: reserved 0 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: peer client KEXINIT proposal [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: host key algorithms: ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-sign-rsa,x509v3-ssh-rsa,x509v3-sign-dss,x509v3-ssh-dss,ssh-dss [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,[email protected] [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,[email protected] [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: compression ctos: none [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: compression stoc: none [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: languages ctos: [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: languages stoc: [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: first_kex_follows 0 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug2: reserved 0 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: kex: algorithm: ecdh-sha2-nistp521 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: kex: host key algorithm: ssh-rsa [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-512 compression: none [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-512 compression: none [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: kex: ecdh-sha2-nistp521 need=64 dh_need=64 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 120 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive_expect: entering, type 121 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: monitor_read: checking request 120
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 121
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: kex: ecdh-sha2-nistp521 need=64 dh_need=64 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 120 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive_expect: entering, type 121 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: monitor_read: checking request 120
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 121
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: receive packet: type 30 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_sshkey_sign: entering [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 6 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive_expect: entering, type 7 [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering [preauth]
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: monitor_read: checking request 6
Mar 29 12:03:38 scasyslog04 sshd[44647]: debug3: mm_answer_sign: entering
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_answer_sign: ssh-rsa (effective: rsa-sha2-256) KEX signature len=532
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 7
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug2: monitor_read: 6 used once, disabling now
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: send packet: type 31 [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: send packet: type 21 [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug2: set_newkeys: mode 1 [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug1: rekey out after 4294967296 blocks [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: receive packet: type 1 [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: error: Received disconnect from 10.222.217.253 port 28442:9: The server's host key failed to verify. This could mean that the server you are connected to is impersonating the server it claims to be. A connection could not be established. [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 122 [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_request_receive_expect: entering, type 123 [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: monitor_read: checking request 122
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 123
Mar 29 12:03:39 scasyslog04 sshd[44647]: Disconnected from 10.222.217.253 port 28442 [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug1: do_cleanup [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_request_send: entering, type 124 [preauth]
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: monitor_read: checking request 124
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug1: monitor_read_log: child log fd closed
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: mm_request_receive: entering
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug1: do_cleanup
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug3: PAM: sshpam_thread_cleanup entering
Mar 29 12:03:39 scasyslog04 sshd[44647]: debug1: Killing privsep child 44648