방금 Linux 요새를 구축했습니다. 정확히 동일한 기능을 수행하는 이전 RHEL 6 요새 "bastion0"(IP: 77.77.77.7)을 대체하기 위해 RHEL 8에서 "bastion1"(IP: 66.66.66.6)이라고 부르겠습니다. 두 서버는 동일하게 구성되었습니다(구성을 푸시하기 위해 솔트를 사용하는 등). IPtables 설정도 괜찮습니다(새 IP 등에 대해 필요한 모든 항목이 중복되었습니다). 이 문제에서는 내 VPN IP가 55.55.55.5이고 사용자 이름이 "user1"이라고 가정하겠습니다.
내 Linux 노트북에서 "bastion1"로 성공적으로 SSH를 연결할 수 있고, 그런 다음 "bastion1"에서 네트워크의 다른 서버로 SSH를 연결할 수 있습니다(이 예에서는 "host1.ournetwork.com"이라고 함). 여태까지는 그런대로 잘됐다.
우리는 ssh가 요새를 통해 "점프"하여 다른 호스트에 도달하도록 로컬로(예: 내 노트북에서) 구성을 사용합니다. 이것이 작동하지 않는 것입니다. "ssh host1.ournetwork.com"이라고 말하면 요새로 이동하여 내 로그인을 요청하고 성공적으로 수락한 다음 "host1"에 도달하려고 시도하고 실패합니다. 이런 오류가 뜹니다...
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
로그를 보면 "host1"은 로그에 아무것도 표시하지 않습니다. "bastion1"은 보안 로그에 이를 표시합니다...
Dec 29 17:25:23 bastion1 sshd[607500]: Accepted password for user1 from 55.55.55.5 port 39028 ssh2
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Dec 29 17:25:23 bastion1 sshd[607505]: error: connect to host1.ournetwork.com port 22 failed: Permission denied
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session closed for user user1
분명히 특정 정보를 익명화했습니다.
내 로컬 SSH 구성 파일에 다음 항목이 있습니다....
# US2 bastion.
Host bastion1
HostName 66.66.66.6
User user1
port 22
ForwardAgent yes
Pubkeyauthentication yes
CertificateFile ~/.ssh/id_rsa-cert.pub
Host *.ournetwork.com
ProxyCommand ssh -A -W %h:%p bastion1
port 22
User user1
Pubkeyauthentication yes
CertificateFile ~/.ssh/id_rsa-cert.pub
따라서 로컬에서 "ssh host1.ournetwork.com"을 입력하면 "bastion1"(66.66.66.6)에 ssh를 시도하고 비밀번호를 묻습니다. 성공적으로 인증되면 "host1.ournetwork.com"으로 이동하여 비밀번호를 다시 묻습니다. 이 설정은 현재 rhel6 요새에서 오랫동안 성공적으로 작동했습니다. IP가 "77.77.77.7"이라고 가정해 보겠습니다. 따라서 "bastion1"이 온라인 상태가 된 후 로컬에서 한 일은 로컬 SSH 구성의 IP를 77.77.77.7에서 66.66.66.6으로 변경하는 것뿐이었습니다.
이제 ssh를 시도하면 얻을 수 있는 내용은 다음과 같습니다.
→ ssh host1.ournetwork.com
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
여기에 내가 봐야 할 것과 이전 요새 "bastion0"을 사용하여 볼 수 있는 것이 있습니다...
→ ssh host1.ournetwork.com
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
Last login: Tue Dec 29 17:01:29 2020 from 66.66.66.6
나는 단지 간단한 것을 놓치고 있다고 생각하지만 SSH 터널 등을 잘 다루지 않아서 무엇을 놓쳤는지 알 수 없습니다. 생각?
추가해서 수정했습니다...
누군가가 "-v" 출력을 요구할 것이라고 생각하여 여기에 있습니다.
새로운 "bastion1"을 사용하여 본 내용은 다음과 같습니다.
→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
실제로 작동하는 "bastion0"을 사용하여 본 내용은 다음과 같습니다.
→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to host1.ournetwork.com:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:12Twz9Tp+BLbi91KWZ1gIyA3kNKns64hIK6BXkZcsls
debug1: Host 'host1.ournetwork.com' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:37
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Will attempt key: /home/user1/.ssh/id_rsa
debug1: Will attempt key: /home/user1/.ssh/id_dsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user1/.ssh/id_ed25519
debug1: Will attempt key: /home/user1/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user1/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Server accepts key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Trying private key: /home/user1/.ssh/id_rsa
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug1: Trying private key: /home/user1/.ssh/id_ed25519_sk
debug1: Trying private key: /home/user1/.ssh/id_xmss
debug1: Next authentication method: password
[email protected]'s password:
debug1: Authentication succeeded (password).
Authenticated to host1.ournetwork.com (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: proc
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Dec 29 18:25:58 2020 from 77.77.77.7
답변1
원인을 찾았습니다. selinux가 나를 차단하고 있었습니다. 이전에 감사 로그를 트롤링할 때 오류를 놓쳤지만 어떻게 놓칠 수 있었는지 모르겠습니다.
type=AVC msg=audit(1609794646.746:434): avc: denied { name_connect } for pid=11043 comm="sshd" dest=22 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket permissive=0
내가 해야 할 일은 "nis_enabled" 부울을 활성화로 설정하는 것뿐이었고 문제는 사라졌습니다. :)
setsebool -P nis_enabled=1