只能单向ssh

我有两个centos 7.2服务器。 一台机器的ip是10.104.196.18，另一台机器是10.240.197.21。 我可以成功从10.104.196.18 ssh到10.240.197.21。 但没有从10.240.197.21 ssh到10.240.196.18。

ssh日志是这样的：

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 10.104.196.18 [10.104.196.18] port 6990. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug3: Incorrect RSA1 identifier debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 

sshd日志是这样的：

 [root@localhost ~]# /usr/sbin/sshd -dD -p 10000 debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type ECDSA debug1: private host key: #1 type 3 ECDSA debug1: private host key: #2 type 4 ED25519 debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-dD' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='10000' Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port 10000 on 0.0.0.0. Server listening on 0.0.0.0 port 10000. debug1: Bind to port 10000 on ::. Server listening on :: port 10000. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 10.96.203.72 port 49845 on 10.240.197.21 port 10000 

所以很显然，交换身份的客户端和服务器都处于等待状态。 并从tcpdump我们通过数据包分析证实。

• 打破sshconfiguration后，我不能再通过SSH连接到GCP上的虚拟机
• ssh命令添加一个公钥到本地`authorized_keys`？
• 无法SSH入我的节点
• SSH隧道到RDS实例
• sshd和Kerberos – getent passwd

来自于10.240.197.21的tcpdump

 [root@localhost ~]# tcpdump -i enp22s0f3 host 10.104.196.18 -s0 -vv -X -c 1000 tcpdump: listening on enp22s0f3, link-type EN10MB (Ethernet), capture size 65535 bytes 13:22:37.402757 IP (tos 0x0, ttl 64, id 25620, offset 0, flags [DF], proto TCP (6), length 60) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [S], cksum 0x9eae (incorrect -> 0x290b), seq 2201485227, win 29200, options [mss 1460,sackOK,TS val 300522431 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 6414 4000 4006 3828 0af0 c515 E..<d.@[email protected](.... 0x0010: 0a68 c412 ddc2 0016 8337 ffab 0000 0000 .h.......7...... 0x0020: a002 7210 9eae 0000 0204 05b4 0402 080a ..r............. 0x0030: 11e9 9bbf 0000 0000 0103 0307 ............ 13:22:37.403162 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.104.196.18.ssh > localhost.localdomain.56770: Flags [S.], cksum 0x2b22 (correct), seq 4104511511, ack 2201485228, win 28960, options [mss 1460,sackOK,TS val 312416107 ecr 300522431,nop,wscale 7], length 0 0x0000: 4500 003c 0000 4000 3c06 a03c 0a68 c412 E..<..@.<..<.h.. 0x0010: 0af0 c515 0016 ddc2 f4a5 e017 8337 ffac .............7.. 0x0020: a012 7120 2b22 0000 0204 05b4 0402 080a ..q.+".......... 0x0030: 129f 176b 11e9 9bbf 0103 0307 ...k........ 13:22:37.403219 IP (tos 0x0, ttl 64, id 25621, offset 0, flags [DF], proto TCP (6), length 52) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [.], cksum 0x9ea6 (incorrect -> 0xca29), seq 1, ack 1, win 229, options [nop,nop,TS val 300522431 ecr 312416107], length 0 0x0000: 4500 0034 6415 4000 4006 382f 0af0 c515 E..4d.@[email protected]/.... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8010 00e5 9ea6 0000 0101 080a 11e9 9bbf ................ 0x0030: 129f 176b ...k 13:22:37.403801 IP (tos 0x0, ttl 64, id 25622, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xd432), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300522432 ecr 312416107], length 23 0x0000: 4500 004b 6416 4000 4006 3817 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 9bc0 ................ 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:22:37.604502 IP (tos 0x0, ttl 64, id 25623, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xd369), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300522633 ecr 312416107], length 23 0x0000: 4500 004b 6417 4000 4006 3816 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 9c89 ................ 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:22:37.808499 IP (tos 0x0, ttl 64, id 25624, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xd29d), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300522837 ecr 312416107], length 23 0x0000: 4500 004b 6418 4000 4006 3815 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 9d55 ...............U 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:22:38.217526 IP (tos 0x0, ttl 64, id 25625, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xd104), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300523246 ecr 312416107], length 23 0x0000: 4500 004b 6419 4000 4006 3814 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 9eee ................ 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:22:39.035515 IP (tos 0x0, ttl 64, id 25626, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xcdd2), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300524064 ecr 312416107], length 23 0x0000: 4500 004b 641a 4000 4006 3813 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 a220 ................ 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:22:40.671529 IP (tos 0x0, ttl 64, id 25627, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xc76e), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300525700 ecr 312416107], length 23 0x0000: 4500 004b 641b 4000 4006 3812 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 a884 ................ 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:22:43.947534 IP (tos 0x0, ttl 64, id 25628, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xbaa2), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300528976 ecr 312416107], length 23 0x0000: 4500 004b 641c 4000 4006 3811 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 b550 ...............P 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:22:50.491548 IP (tos 0x0, ttl 64, id 25629, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xa112), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300535520 ecr 312416107], length 23 0x0000: 4500 004b 641d 4000 4006 3810 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 cee0 ................ 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:23:03.579533 IP (tos 0x0, ttl 64, id 25630, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0x6df2), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300548608 ecr 312416107], length 23 0x0000: 4500 004b 641e 4000 4006 380f 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11ea 0200 ................ 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:23:29.755543 IP (tos 0x0, ttl 64, id 25631, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0x07b2), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300574784 ecr 312416107], length 23 0x0000: 4500 004b 641f 4000 4006 380e 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11ea 6840 ..............h@ 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 13:24:22.171532 IP (tos 0x0, ttl 64, id 25632, offset 0, flags [DF], proto TCP (6), length 75) localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0x3af1), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300627200 ecr 312416107], length 23 0x0000: 4500 004b 6420 4000 4006 380d 0af0 c515 E..Kd.@[email protected]..... 0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7...... 0x0020: 8018 00e5 9ebd 0000 0101 080a 11eb 3500 ..............5. 0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open 0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1.. 

来自10.104.196.18的tcpdump

 01:22:37.400147 IP 10.240.197.21.56770 > localhost.localdomain.ssh: Flags [S], seq 2201485227, win 29200, options [mss 1460,sackOK,TS val 300522431 ecr 0,nop,wscale 7], length 0 01:22:37.400219 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [S.], seq 4104511511, ack 2201485228, win 28960, options [mss 1460,sackOK,TS val 312416107 ecr 300522431,nop,wscale 7], length 0 01:22:37.400476 IP 10.240.197.21.56770 > localhost.localdomain.ssh: Flags [.], ack 1, win 229, options [nop,nop,TS val 300522431 ecr 312416107], length 0 01:22:37.426399 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312416133 ecr 300522431], length 23 01:22:37.626271 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312416333 ecr 300522431], length 23 01:22:37.831584 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312416538 ecr 300522431], length 23 01:22:38.242549 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312416949 ecr 300522431], length 23 01:22:39.065132 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312417772 ecr 300522431], length 23 01:22:40.709282 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312419416 ecr 300522431], length 23 01:22:43.997804 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312422704 ecr 300522431], length 23 01:22:50.574310 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312429281 ecr 300522431], length 23 01:23:03.725361 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312442432 ecr 300522431], length 23 01:23:30.029758 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312468736 ecr 300522431], length 23 

而且我也通过这样的脚本禁用了两个防火墙。

 systemctl stop firewalld systemctl disable firewalld iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -t raw -F iptables -t raw -X iptables -t security -F iptables -t security -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEP //error this line ,output iptables: Bad policy name. Run `dmesg' for more information. 

虽然有一些错误，但结果听起来不错：

 [root@localhost examples]# ~/disable_firewall.sh iptables: Bad policy name. Run `dmesg' for more information. [root@localhost examples]# iptables-save # Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017 *security :INPUT ACCEPT [220:24998] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [109:12506] COMMIT # Completed on Sat Oct 14 13:08:28 2017 # Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017 *raw :PREROUTING ACCEPT [692:70796] :OUTPUT ACCEPT [109:12506] COMMIT # Completed on Sat Oct 14 13:08:28 2017 # Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017 *mangle :PREROUTING ACCEPT [692:70796] :INPUT ACCEPT [220:24998] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [109:12506] :POSTROUTING ACCEPT [109:12506] COMMIT # Completed on Sat Oct 14 13:08:28 2017 # Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017 *nat :PREROUTING ACCEPT [395:43515] :INPUT ACCEPT [32:7088] :OUTPUT ACCEPT [17:1020] :POSTROUTING ACCEPT [17:1020] COMMIT # Completed on Sat Oct 14 13:08:28 2017 # Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017 *filter :INPUT ACCEPT [220:24998] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [109:12506] COMMIT 

双方可以成功地互相ping通。 所以我很困惑这些数据包是如何单向丢失的？