为什么 SSHD 挂在“服务器接受密钥”处

tag-icon tag-icon linux ubuntu ssh ssh-keys
为什么 SSHD 挂在“服务器接受密钥”处

一年来,我一直使用公钥认证通过 ssh 连接到这个盒子,没有任何问题。

客户端或服务器的 ssh 配置未发生任何变化。现在,ssh 连接永远不会完成或失败,它们只是挂起。以下是尝试连接时的调试输出:

OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/jivan/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <host> [<ip>] port <port>.
debug1: Connection established.
debug1: identity file .ssh/id_rsa.pub type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file .ssh/id_rsa.pub-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1 Debian-7ubuntu1
debug1: match: OpenSSH_5.8p1 Debian-7ubuntu1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 81:63:05:0c:39:6b:77:d7:a2:25:93:30:80:f1:ba:0e
debug1: Host '[<host>]:<port>' is known and matches the ECDSA host key.
debug1: Found key in /home/jivan/.ssh/known_hosts:39
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa.pub
debug1: Server accepts key: pkalg ssh-rsa blen 279

服务器日志:

Feb 24 12:02:38 balance sshd[5734]: debug1: Forked child 6745.
Feb 24 12:02:38 balance sshd[6745]: Set /proc/self/oom_score_adj to 0
Feb 24 12:02:38 balance sshd[6745]: debug1: rexec start in 5 out 5 newsock 5 pip
e 7 sock 8
Feb 24 12:02:38 balance sshd[6745]: debug1: inetd sockets after dupping: 3, 3
Feb 24 12:02:38 balance sshd[6745]: Connection from 207.204.228.55 port 57967
Feb 24 12:02:38 balance sshd[6745]: debug1: Client protocol version 2.0; client 
software version OpenSSH_6.0p1 Debian-3ubuntu1
Feb 24 12:02:38 balance sshd[6745]: debug1: match: OpenSSH_6.0p1 Debian-3ubuntu1
 pat OpenSSH*
Feb 24 12:02:38 balance sshd[6745]: debug1: Enabling compatibility mode for prot
ocol 2.0
Feb 24 12:02:38 balance sshd[6745]: debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
Feb 24 12:02:39 balance sshd[6745]: debug1: PAM: initializing for "jivan"
Feb 24 12:02:39 balance sshd[6745]: debug1: PAM: setting PAM_RHOST to "207.204.228.55"
Feb 24 12:02:39 balance sshd[6745]: debug1: PAM: setting PAM_TTY to "ssh"
Feb 24 12:02:40 balance sshd[6745]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
Feb 24 12:02:40 balance sshd[6745]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
Feb 24 12:02:40 balance sshd[6745]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Feb 24 12:02:40 balance sshd[6745]: debug1: trying public key file /home/jivan/.ssh/authorized_keys
Feb 24 12:02:40 balance sshd[6745]: debug1: fd 4 clearing O_NONBLOCK
Feb 24 12:02:40 balance sshd[6745]: debug1: matching key found: file /home/jivan/.ssh/authorized_keys, line 1
Feb 24 12:02:40 balance sshd[6745]: Found matching RSA key: 5f:8c:76:ad:48:6a:f5:73:03:6a:36:13:c0:ea:3b:45
Feb 24 12:02:40 balance sshd[6745]: debug1: restore_uid: 0/0

您知道可能是什么问题吗?

更新:问题神秘地结束了,就像开始时一样。仍然对导致此问题的任何见解感兴趣。

答案1

这通常是由反向 DNS 问题引起的;上周我的一个旧服务器就遇到了这种情况。您调用 是正确的sshd -d,但除非您使用 运行它,否则反向 DNS 问题不会真正显现出来,sshd -ddd这样您就会看到 debug3 的输出。

虽然反向 DNS 问题不会总是导致情况恶化的是,如果与连接尝试相关的 DNS 查找失败(即所有 DNS 服务器完全不可用,或者相关区域/反向区域超时),则在某些配置下,这足以完全锁定ssh对系统的访问。如果服务器不耐烦并断开连接,则无论将客户端超时设置得多高都无济于事。

答案2

我也遇到过这个问题,但这次轮到客户端说话了。在这种情况下,这似乎是由于 gpg-agent 的存在(以 ssh-agent-support 模式运行);将其杀死或 ssh-add -D 可以恢复 ssh 连接。

答案3

就我的情况而言,这是由密钥环损坏引起的。如果使用更多调试信息 ( ssh -vvv) 运行,将得到:

debug1: Offering RSA public key: /home/user/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: sign_and_send_pubkey: RSA
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

,我得到了提示,它与SSH_AUTH_SOCK变量有关。然后我找到了它:

user@user-office / $ $SSH_AUTH_SOCK
bash: /run/user/1000/keyring/ssh: No such device or address

然后我删除了这个文件并重新运行ssh命令。这导致 pass 提示出现,然后它就起作用了。

答案4

虽然上述情况很可能与 DNS 有关,但我在

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

它也不一致。通过执行以下操作可以消除它:

KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

我怀疑真正的原因是 IPv6 隧道的 MTU 有限,但我尚未验证这一点。Google 找到了这个问题。

相关内容