Я только что построил linux bastion, назовем его "bastion1" (IP: 66.66.66.6) на RHEL 8, чтобы заменить старый bastion RHEL 6 "bastion0" (IP: 77.77.77.7), который выполняет ту же самую функцию. Оба сервера настроены одинаково (мы используем соль для отправки конфигураций и т. д.), настройка IPtables также в порядке (все необходимые записи были продублированы для нового IP и т. д.). Для этой проблемы предположим, что мой VPN IP - 55.55.55.5, а мое имя пользователя - "user1".
Я могу успешно подключиться по ssh с моего ноутбука Linux к «bastion1», а затем подключиться по ssh с «bastion1» к другим серверам в нашей сети (в этом примере назовем его «host1.ournetwork.com»). Пока все хорошо.
Мы используем конфигурацию локально (т. е. на моем ноутбуке), чтобы ssh "прыгал" через бастион, чтобы попасть на другой хост. Вот что не работает. Когда я говорю "ssh host1.ournetwork.com", он переходит на бастион, запрашивает мой логин, успешно принимает его, затем пытается попасть на "host1", но терпит неудачу. Он выдает эту ошибку...
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Если посмотреть на логи, то "host1" вообще ничего не показывает в журналах. "bastion1" показывает это в защищенном журнале...
Dec 29 17:25:23 bastion1 sshd[607500]: Accepted password for user1 from 55.55.55.5 port 39028 ssh2
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Dec 29 17:25:23 bastion1 sshd[607505]: error: connect to host1.ournetwork.com port 22 failed: Permission denied
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session closed for user user1
Разумеется, я анонимизировал конкретную информацию.
В моем локальном файле конфигурации ssh есть следующие записи...
# US2 bastion.
Host bastion1
HostName 66.66.66.6
User user1
port 22
ForwardAgent yes
Pubkeyauthentication yes
CertificateFile ~/.ssh/id_rsa-cert.pub
Host *.ournetwork.com
ProxyCommand ssh -A -W %h:%p bastion1
port 22
User user1
Pubkeyauthentication yes
CertificateFile ~/.ssh/id_rsa-cert.pub
Итак, когда я локально ввожу "ssh host1.ournetwork.com", он пытается подключиться по ssh к "bastion1" (66.66.66.6) и запрашивает пароль. После успешной аутентификации он переходит на "host1.ournetwork.com", где снова запрашивает мой пароль. Эта настройка успешно работает уже долгое время с нашим текущим бастионом rhel6. Предположим, что его IP-адрес был "77.77.77.7". Поэтому все, что я сделал локально, как только "bastion1" подключился, это изменил IP-адрес в моей локальной конфигурации ssh с 77.77.77.7 на 66.66.66.6
Вот что я получаю, когда пытаюсь подключиться по ssh...
→ ssh host1.ournetwork.com
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Вот что я должен был увидеть, и что я вижу, используя старый бастион «bastion0»...
→ ssh host1.ournetwork.com
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
Last login: Tue Dec 29 17:01:29 2020 from 66.66.66.6
Думаю, я просто упускаю что-то простое, но я не силен в туннелях ssh и т. п., поэтому не могу понять, что я упустил. Какие мысли?
Отредактировано для добавления...
Подумал, что кто-то попросит вывод «-v», так вот он.
Вот что я вижу при использовании нового «bastion1»...
→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
Вот что я вижу при использовании «bastion0», и это действительно работает...
→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
[email protected]'s password:
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to host1.ournetwork.com:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:12Twz9Tp+BLbi91KWZ1gIyA3kNKns64hIK6BXkZcsls
debug1: Host 'host1.ournetwork.com' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:37
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Will attempt key: /home/user1/.ssh/id_rsa
debug1: Will attempt key: /home/user1/.ssh/id_dsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user1/.ssh/id_ed25519
debug1: Will attempt key: /home/user1/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user1/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
WARNING!
========================================================
All access to this machine is monitored. The following
actions are criminal offences and it is our company
policy to prosecute against:
** Unauthorised access to this computer
** Unauthorised viewing, copying or deleting data
** Unauthorised tampering of data
** Unauthorised use of this computer to access other computers.
========================================================
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Server accepts key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Trying private key: /home/user1/.ssh/id_rsa
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug1: Trying private key: /home/user1/.ssh/id_ed25519_sk
debug1: Trying private key: /home/user1/.ssh/id_xmss
debug1: Next authentication method: password
[email protected]'s password:
debug1: Authentication succeeded (password).
Authenticated to host1.ournetwork.com (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: proc
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Dec 29 18:25:58 2020 from 77.77.77.7
решение1
Я нашел причину. selinux блокировал меня. Я пропустил ошибку, когда ранее просматривал журнал аудита, хотя не знаю, как я мог ее пропустить.
type=AVC msg=audit(1609794646.746:434): avc: denied { name_connect } for pid=11043 comm="sshd" dest=22 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket permissive=0
Все, что мне нужно было сделать, это установить логическое значение "nis_enabled" в положение enabled, и проблема исчезла. :)
setsebool -P nis_enabled=1