Il server OpenSSH accetta la chiave pubblica e chiude immediatamente la connessione senza alcun messaggio di errore

Sto provando a connettersi a un server SSH in grado di connettersi in passato ma utilizzando diverse versioni client OpenSSH.

A partire da un Cygwin OpenSSH_6.6.1, OpenSSL 1.0.1g 7 Apr 2014 , passando attraverso un Squid Proxy utilizzando cavatappi, sto collegando bene ad un server Ubuntu 13.10 OpenSSH_6.2p2 Ubuntu-6ubuntu0.3 utilizzando un agente inoltrato per bypassare un firewall che impedisce l'accesso diretto al server di destinazione.

Sono in grado di connettersi bene ad altri server SSH tramite questo server intermedio che esclude i problemi di configuration degli agenti inoltrati o delle autorizzazioni.

L'unica differenza che posso dire con il server di destinazione che non riesce è che esegue una vecchia versione Debian utilizzando OpenSSH_4.3 che non è stato aggiornato per diversi anni anche se sono riuscito a connettersi ad esso qualche mese fa (prima di aggiornare il server intermedio seguendo il bug di heartbleed) e prima di aggiornare il mio client Cygwin.

Esistono problemi di incompatibilità tra i recenti utenti e gli agenti utente più recenti di OpenSSH?

Collegarsi dal server intermedio al server di destinazione ( s1.hidden.com @63.82.7.10 nelle tracce in s1.hidden.com @63.82.7.10 ) non riesce senza alcun messaggio di errore e dopo che il server di destinazione ha dichiarato di accettare la mia chiave pubblica inoltrata e il server intermedio ha inviato tale pubblico chiave.

Nella schermata traccia sia la connessione al server intermedio che il tentativo di connessione al server di destinazione sono disponibili opzioni -vvv che spiega i messaggi di debug del channel 1 coinvolgono l'agente inoltrato (gli indirizzi vengono modificati):

 [...] debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp 46:83:33:00:28:48:b2:3c:b1:3f:60:bb:62:80:cc:d2 debug3: sign_and_send_pubkey: RSA 46:83:33:00:28:48:b2:3c:b1:3f:60:bb:62:80:cc:d2 debug2: channel 1: rcvd eof debug2: channel 1: output open -> drain debug2: channel 1: obuf empty debug2: channel 1: close_write debug2: channel 1: output drain -> closed debug1: channel 1: FORCE input drain debug2: channel 1: ibuf empty debug2: channel 1: send eof debug2: channel 1: input drain -> closed debug2: channel 1: send close Connection closed by 63.82.7.10 root@intermediate-server: ~ $ debug3: channel 1: will not send data after close debug2: channel 1: rcvd close debug3: channel 1: will not send data after close debug2: channel 1: is dead debug2: channel 1: garbage collecting debug1: channel 1: free: authentication agent connection, nchannels 2 debug3: channel 1: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 3/6 cc -1) #1 authentication agent connection (t4 r2 i3/0 o3/0 fd 8/8 cc -1) 

Su un server di destinazione che riesce posso vedere:

 debug2: channel 1: input drain -> closed debug2: channel 1: send close debug1: Authentication succeeded (publickey). 

Invece di questo sul server non riuscito:

 debug2: channel 1: input drain -> closed debug2: channel 1: send close Connection closed by 63.82.7.10 

Tutto il resto sembra essere identico a quello delle versioni e degli indirizzi OpenSSH.

Ecco la traccia completa -vvv dal server intermedio al server di destinazione:

 OpenSSH_6.2p2 Ubuntu-6ubuntu0.3, OpenSSL 1.0.1e 11 Feb 2013 debug1: Reading configuration data /root/.ssh/config debug1: /root/.ssh/config line 1: Applying options for s1 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to s1.hidden.com [63.82.7.10] port 2222. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.3 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH_4* debug2: fd 3 setting O_NONBLOCK debug3: put_host_port: [s1.hidden.com]:2222 debug3: load_hostkeys: loading entries for host "[s1.hidden.com]:2222" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:4 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 135/256 debug2: bits set: 507/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA b0:07:f4:ce:c7:00:e2:54:23:1c:45:7f:d9:61:41:8a debug3: put_host_port: [63.82.7.10]:2222 debug3: put_host_port: [s1.hidden.com]:2222 debug3: load_hostkeys: loading entries for host "[s1.hidden.com]:2222" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:4 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "[63.82.7.10]:2222" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:5 debug3: load_hostkeys: loaded 1 keys debug1: Host '[s1.hidden.com]:2222' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:4 debug2: bits set: 535/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384 debug2: fd 8 setting O_NONBLOCK debug3: fd 8 is O_NONBLOCK debug1: channel 1: new [authentication agent connection] debug1: confirm auth-agent@openssh.com debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/jvincent/.ssh/id_rsa (0xb8485070), debug2: key: /root/.ssh/id_rsa ((nil)), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/jvincent/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp 46:83:33:00:28:48:b2:3c:b1:3f:60:bb:62:80:cc:d2 debug3: sign_and_send_pubkey: RSA 46:83:33:00:28:48:b2:3c:b1:3f:60:bb:62:80:cc:d2 debug2: channel 1: rcvd eof debug2: channel 1: output open -> drain debug2: channel 1: obuf empty debug2: channel 1: close_write debug2: channel 1: output drain -> closed debug1: channel 1: FORCE input drain debug2: channel 1: ibuf empty debug2: channel 1: send eof debug2: channel 1: input drain -> closed debug2: channel 1: send close Connection closed by 63.82.7.10 root@intermediate-server: ~ $ debug3: channel 1: will not send data after close debug2: channel 1: rcvd close debug3: channel 1: will not send data after close debug2: channel 1: is dead debug2: channel 1: garbage collecting debug1: channel 1: free: authentication agent connection, nchannels 2 debug3: channel 1: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 3/6 cc -1) #1 authentication agent connection (t4 r2 i3/0 o3/0 fd 8/8 cc -1) 

  • I parametri predefiniti a 'openssl genpkey' sono sufficientemente sicuri?
  • La disconnessione di una session SSH uccide i tuoi programmi?
  • C'è un proxy di inversione SSH host virtuale basato sul nome?
  • Migliorare la velocità del trasferimento di file di grandi size tramite collegamento ad alta latenza
  • Perché l'authentication RSA SSH funziona solo dopo l'accesso di console?
  • Esegui più comandi su SSH come sudo
  • Generazione keypair SSH: RSA o DSA?
  • Limitare l'accesso alla shell di SSH al server Debian
  • One Solution collect form web for “Il server OpenSSH accetta la chiave pubblica e chiude immediatamente la connessione senza alcun messaggio di errore”

    Il modo per eseguire il debug di questi problemi è quello di get un canale / session secondario al server e quindi avviare `which sshd` -d -p 2222 e controllare l'output di sshd per get informazioni migliori. Il colpevole nelle mie esperienze:

    • ctriggers shell, controlla / etc / passwd per l'utente e controlla le autorizzazioni e l'esistenza della shell per l'utente elencato
    • controllare le chiavi autorizzate per i comandi forzati sulla chiave pubblica
    • errori in. profilo. _rc. * env ecc.
    • cattive autorizzazioni su $HOME $HOME/.ssh e $HOME/.ssh/authorized_keys , sshd può essere pedantico con quello. (Tuttavia, non sospetto questo, in quanto si accarezzava i server accettato le chiavi)

    NOTA: sembra che si esegua "ssh -vv" sul server intermediario, poiché il debug *: i messaggi dopo il prompt $ indica l'intermediario -> bersaglio uscito, ma ora hai qualche sorgente-> verbose / debug di intermediari interleaved anche con le informazioni di debug che stai cercando / a.

    Suggerimenti per Linux e Windows Server, quali Ubuntu, Centos, Apache, Nginx, Debian e argomenti di rete.