今天我意識到一件很奇怪的事:
我的本地網路中有一台伺服器(運行 Ubuntu Server 12.04.4 LTS),其 SSH 連接埠可透過網路存取(我可以使用 連接到它ssh my.internet.ip.address)。
但是,我今天才意識到我無法在本地網路中連接到它(ssh its.local.ip.address失敗且沒有錯誤)。
我檢查/etc/hosts.deny並在 中明確添加了我的計算機/etc/hosts.allow,但這並沒有改變任何東西。當然,我也嘗試過重新啟動 ssh 和整個伺服器。沒有可用的新更新。
本機連線失敗:
myself@my-desktop ~ $ ssh -v its.local.ip.address
OpenSSH_6.2p2 Ubuntu-6ubuntu0.4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to its.local.ip.address [its.local.ip.address] port 22.
debug1: Connection established.
debug1: identity file /home/myself/.ssh/id_rsa type -1
debug1: identity file /home/myself/.ssh/id_rsa-cert type -1
debug1: identity file /home/myself/.ssh/id_dsa type -1
debug1: identity file /home/myself/.ssh/id_dsa-cert type -1
debug1: identity file /home/myself/.ssh/id_ecdsa type -1
debug1: identity file /home/myself/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by its.local.ip.address
myself@my-desktop ~ $
但是,遠端連線有效:
myself@my-desktop ~ $ ssh -v my.internet.ip.address
OpenSSH_6.2p2 Ubuntu-6ubuntu0.4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to my.internet.ip.address [my.internet.ip.address] port 22.
debug1: Connection established.
debug1: identity file /home/myself/.ssh/id_rsa type -1
debug1: identity file /home/myself/.ssh/id_rsa-cert type -1
debug1: identity file /home/myself/.ssh/id_dsa type -1
debug1: identity file /home/myself/.ssh/id_dsa-cert type -1
debug1: identity file /home/myself/.ssh/id_ecdsa type -1
debug1: identity file /home/myself/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA [... hidden here ...]
debug1: Host 'my.internet.ip.address' is known and matches the ECDSA host key.
debug1: Found key in /home/myself/.ssh/known_hosts:4
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
[email protected]'s password:
[ ... everything works just fine ... ]
這個問題的原因是什麼,更重要的是我該如何解決它?
注意:增加詳細程度 ( ssh -vvv) 在兩個輸出偏離的點上不會顯示任何額外內容。
答案1
伺服器決定斷開連接,因此您必須從伺服器端調試問題。如果您在伺服器上具有“root”存取權限,則可以sshd互動式運行:
/path/to/sshd -ddd -p 42
這將在偵錯模式下啟動連接埠 42 上的偵聽副本sshd(您可以指定不同的編號)。它將在前台運行,接受單一連接並將偵錯資訊列印到您的終端。
現在與您的客戶聯繫:
ssh -v -p 42 its.local.ip.address
如果運氣好的話,伺服器端偵錯訊息應該指出它刪除會話的原因。
答案2
我假設客戶端電腦在兩次捕獲中是相同的(即使提示不同),因為它允許 TCP 連接,可能與 sshd 配置上的反向 DNS 和/或拒絕策略有關。
嘗試關閉伺服器端的 DNS(在 sshd_config 上使用 UseDNS=no)並重新啟動 sshd(kill -1 就足夠了)
答案3
據報道,此錯誤已影響多個用戶。
在本地時,請嘗試 ssh -X 停用 x 轉送。
此外,最大傳輸單元 [MTU] 可能需要調整為 ssh_server 的 MTU。
** 如果這在本地不起作用,請嘗試:
myself@my-desktop ~ $ ssh -v my.internet.ip.address
如果它可以走出您的網絡,然後返回...
可能是伺服器設定錯誤,檢查 sshd_config 中的“允許的使用者”,以及known_host 的儲存位置,新增使用者“myself”的 local.ip.address 版本。
sshd 的副本可能會有所幫助