无法使用公钥和私钥在同一网络上的两台 Linux 机器之间连接 ssh

tag-icon tag-icon ssh
无法使用公钥和私钥在同一网络上的两台 Linux 机器之间连接 ssh

我正在尝试使用 ssh 连接到machine2运行 Ubuntu 19.10 的 和machine1运行 Ubuntu 18.04.5 的 。当我尝试使用 的 IP 地址machine2进行连接时machine1,我收到以下消息:

[machine1_username]@[machine1_host]:~$ ssh -v [machine2_username]@ip_address
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /home/[home_directory]/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to [ip_address] [[ip_address]] port 22.
debug1: connect to address [ip_address] port 22: Connection timed out
ssh: connect to host [ip_address]port 22: Connection timed out

当我尝试使用主机名连接时,machine2收到machine1以下消息:

ssh: could not resolve hostname [hostname].local: Name or service not known

这两个命令都没有提示我输入密码。公钥已手动存储在目录中的文件中,authorized_keys但正如我所说,我还没到那一步。.sshmachine2

我的 ufw 设置已打开machine1machine2允许该端口上的流量,两台机器上都安装了 ssh,openssh-client已安装在 上machine1openssh-server已安装在 上machine2。两台机器上的 nmap 命令均表明端口 22/tcp 已打开以进行 ssh 连接。我还验证了 正在machine2监听Port 22

sshd_config在服务器上:

#   $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 22
#AddressFamily any
#ListenAddress
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem   sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

ssh_config在客户端上:


# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
   Port 22
#   Protocol 2
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected]
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

来自客户machine1

[machine1_username]@[machine1_host]:~$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

从服务器machine2

[machine2_username@[machine2_host]:~$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

我已确认使用了正确的 IP 地址和用户名。考虑到它们在同一个网络上,我知道我做了一些愚蠢的事情。

答案1

这与身份验证无关。这看起来是固件问题。请检查sudo dmesg连接是否断开...

答案2

考虑你的第一次尝试

当我尝试使用 machine2 的 ip 地址从 machine1 进行连接时,我收到以下消息:

ssh: connect to host [ip_addr] port 22: Connection Timed out

这意味着machine1能够路由到ip_addr并尝试连接。但是,machine2防火墙已配置为阻止DROP所有入站连接尝试。您需要放宽限制以允许连接尝试。

sshd尝试连接到未侦听的客户端(或防火墙设置为REJECT传入连接)和主机不存在(或防火墙设置为DROP传入连接)时生成的错误消息之间存在差异

ssh: connect to host […] port 22: Connection refused      # Host not listening, or REJECT
ssh: connect to host […] port 22: Connection timed out    # No host, or DROP

现在考虑第二次尝试

当我尝试使用主机名从 machine1 连接到 machine2 时,我收到以下消息:

ssh: could not resolve hostname [hostname].local: Name or service not known

这说明machine1无法将名称hostname(您是指machine2?)解析为地址,因此它不知道尝试连接的位置。启用 Bonjour/Avahi,machine2以便它可以将其地址通告给machine1

相关内容