私は RHEL 8 上に Linux 要塞を構築しました。これを「bastion1」(IP: 66.66.66.6) と呼び、まったく同じ機能を実行する古い RHEL 6 要塞「bastion0」(IP: 77.77.77.7) を置き換えます。2 つのサーバーは同じ構成になっています (構成をプッシュするために salt を使用するなど)。IPtables の設定も正常です (必要なエントリはすべて新しい IP 用に複製されているなど)。この問題では、VPN IP が 55.55.55.5、ユーザー名が「user1」であると仮定します。
Linux ラップトップから「bastion1」に ssh で接続し、次に「bastion1」からネットワーク上の他のサーバー (この例では「host1.ournetwork.com」と呼びます) に ssh で接続できました。ここまでは順調です。
ローカル (つまり、ラップトップ) で設定を使用して、ssh が要塞を「飛び越えて」別のホストに到達するようにします。これが機能しない原因です。「ssh host1.ournetwork.com」と入力すると、要塞に移動し、ログインを要求して正常に受け入れた後、「host1」に到達しようとして失敗します。このエラーが発生します...
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
ログを見ると、「host1」のログには何も表示されません。「bastion1」のセキュア ログにはこれが表示されます...
Dec 29 17:25:23 bastion1 sshd[607500]: Accepted password for user1 from 55.55.55.5 port 39028 ssh2
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Dec 29 17:25:23 bastion1 sshd[607505]: error: connect to host1.ournetwork.com port 22 failed: Permission denied
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session closed for user user1
もちろん、具体的な情報は匿名化しています。
私のローカル SSH 構成ファイルにはこれらのエントリが含まれています。
# US2 bastion.
Host bastion1
HostName 66.66.66.6
User user1
port 22
ForwardAgent yes
Pubkeyauthentication yes
CertificateFile ~/.ssh/id_rsa-cert.pub
Host *.ournetwork.com
ProxyCommand ssh -A -W %h:%p bastion1
port 22
User user1
Pubkeyauthentication yes
CertificateFile ~/.ssh/id_rsa-cert.pub
ローカルで「ssh host1.ournetwork.com」と入力すると、「bastion1」(66.66.66.6) に ssh しようとしてパスワードを要求されます。認証に成功すると、「host1.ournetwork.com」にジャンプし、そこで再度パスワードを要求されます。この設定は、現在の rhel6 bastion で長い間正常に機能しています。IP が「77.77.77.7」だったと仮定します。したがって、「bastion1」がオンラインになったときにローカルで行ったことは、ローカル ssh 構成の IP を 77.77.77.7 から 66.66.66.6 に変更することだけです。
今 ssh を試みたときの結果は次のとおりです...
→ ssh host1.ournetwork.com
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
ここに、表示されるはずの内容と、古い要塞「bastion0」を使用して表示される内容を示します...
→ ssh host1.ournetwork.com
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
Last login: Tue Dec 29 17:01:29 2020 from 66.66.66.6
何か単純なことを見逃しているだけだと思いますが、私は SSH トンネルなどに詳しくないので、何を見逃したのかわかりません。ご意見は?
追加編集しました...
誰かが「-v」出力を求めるだろうと思ったので、ここに示します。
新しい「bastion1」を使用すると、次のようになります...
→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
実際に動作する「bastion0」を使用した場合の結果は次のとおりです...
→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to host1.ournetwork.com:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:12Twz9Tp+BLbi91KWZ1gIyA3kNKns64hIK6BXkZcsls
debug1: Host 'host1.ournetwork.com' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:37
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Will attempt key: /home/user1/.ssh/id_rsa
debug1: Will attempt key: /home/user1/.ssh/id_dsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user1/.ssh/id_ed25519
debug1: Will attempt key: /home/user1/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user1/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Server accepts key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Trying private key: /home/user1/.ssh/id_rsa
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug1: Trying private key: /home/user1/.ssh/id_ed25519_sk
debug1: Trying private key: /home/user1/.ssh/id_xmss
debug1: Next authentication method: password
[email protected]'s password:
debug1: Authentication succeeded (password).
Authenticated to host1.ournetwork.com (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: proc
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Dec 29 18:25:58 2020 from 77.77.77.7
答え1
原因が分かりました。selinux がブロックしていました。以前監査ログを調べた際にエラーを見逃していましたが、なぜ見逃したのかはわかりません。
type=AVC msg=audit(1609794646.746:434): avc: denied { name_connect } for pid=11043 comm="sshd" dest=22 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket permissive=0
私がしなければならなかったのは、「nis_enabled」ブール値を有効に設定することだけで、問題は解決しました。 :)
setsebool -P nis_enabled=1