Acabo de construir un bastión de Linux, llamémoslo "bastion1" (IP: 66.66.66.6) en RHEL 8 para reemplazar un antiguo bastión de RHEL 6 "bastion0" (IP: 77.77.77.7) que realiza exactamente la misma función. Los dos servidores están configurados de la misma manera (usamos salt para enviar configuraciones, etc.). La configuración de IPtables también está bien (todas las entradas necesarias se han duplicado para la nueva IP, etc.). Para este problema, supongamos que mi IP de VPN es 55.55.55.5 y mi nombre de usuario es "usuario1".
Puedo realizar ssh con éxito desde mi computadora portátil Linux a "bastion1", luego ssh desde "bastion1" a otros servidores en nuestra red (en este ejemplo, llamémoslo "host1.ournetwork.com"). Hasta ahora, todo bien.
Usamos una configuración local (es decir, en mi computadora portátil) para hacer que ssh "salte" a través del bastión para llegar a otro host. Esto es lo que no funciona. Cuando digo "ssh host1.ournetwork.com", va al bastión, me solicita mi inicio de sesión, lo acepta correctamente, luego intenta llegar a "host1" y falla. Tira este error...
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Al observar los registros, "host1" no muestra nada en los registros. "bastion1" muestra esto en el registro seguro...
Dec 29 17:25:23 bastion1 sshd[607500]: Accepted password for user1 from 55.55.55.5 port 39028 ssh2
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Dec 29 17:25:23 bastion1 sshd[607505]: error: connect to host1.ournetwork.com port 22 failed: Permission denied
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session closed for user user1
Obviamente he anonimizado la información específica.
Mi archivo de configuración ssh local tiene estas entradas....
# US2 bastion.
Host bastion1
HostName 66.66.66.6
User user1
port 22
ForwardAgent yes
Pubkeyauthentication yes
CertificateFile ~/.ssh/id_rsa-cert.pub
Host *.ournetwork.com
ProxyCommand ssh -A -W %h:%p bastion1
port 22
User user1
Pubkeyauthentication yes
CertificateFile ~/.ssh/id_rsa-cert.pub
Entonces, cuando escribo localmente "ssh host1.ournetwork.com", intenta enviar ssh a "bastion1" (66.66.66.6) y me pide una contraseña. Cuando se autentica correctamente, salta a "host1.ournetwork.com", donde vuelve a solicitar mi contraseña. Esta configuración ha funcionado exitosamente durante mucho tiempo con nuestro bastión rhel6 actual. Supongamos que su IP era "77.77.77.7". Así que todo lo que hice localmente una vez que "bastion1" se conectó fue cambiar la IP en mi configuración ssh local de 77.77.77.7 a 66.66.66.6
Esto es lo que obtengo cuando intento hacer ssh ahora...
→ ssh host1.ournetwork.com
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Esto es lo que debería ver y lo que veo usando el antiguo bastión "bastion0"...
→ ssh host1.ournetwork.com
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
Last login: Tue Dec 29 17:01:29 2020 from 66.66.66.6
Supongo que me estoy perdiendo algo simple, pero no soy bueno con los túneles ssh, etc., así que no puedo entender qué me perdí. ¿Pensamientos?
Editado para agregar...
Pensé que alguien pediría una salida "-v", así que aquí está.
Esto es lo que veo usando el nuevo "bastion1"...
→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Esto es lo que veo al usar "bastion0", que realmente funciona...
→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to host1.ournetwork.com:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:12Twz9Tp+BLbi91KWZ1gIyA3kNKns64hIK6BXkZcsls
debug1: Host 'host1.ournetwork.com' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:37
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Will attempt key: /home/user1/.ssh/id_rsa
debug1: Will attempt key: /home/user1/.ssh/id_dsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user1/.ssh/id_ed25519
debug1: Will attempt key: /home/user1/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user1/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Server accepts key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Trying private key: /home/user1/.ssh/id_rsa
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug1: Trying private key: /home/user1/.ssh/id_ed25519_sk
debug1: Trying private key: /home/user1/.ssh/id_xmss
debug1: Next authentication method: password
[email protected]'s password:
debug1: Authentication succeeded (password).
Authenticated to host1.ournetwork.com (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: proc
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Dec 29 18:25:58 2020 from 77.77.77.7
Respuesta1
Encontré la causa. Selinux me estaba bloqueando. Me había perdido el error cuando revisé el registro de auditoría anteriormente, aunque no sé cómo pude haberlo pasado por alto.
type=AVC msg=audit(1609794646.746:434): avc: denied { name_connect } for pid=11043 comm="sshd" dest=22 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket permissive=0
Todo lo que tuve que hacer fue habilitar el valor booleano "nis_enabled" y el problema desapareció. :)
setsebool -P nis_enabled=1