在这个问题上,我遇到了很多关于google / stack的文档。 但没有find任何解决scheme
我在我的局域网中有一个覆盆子pi ssh服务器,我想从互联网(外部局域网)ssh。
我可以在本地ssh(局域网),但如果SSH使用公共IP /开放端口(无论是从局域网/从我的办公室)它拒绝连接。
我的networking拓扑 –
ISP ______(ethernet)> tpLink Router (port forwarded) --------- > raspberry pi (wifi connected with static ip) 我已经扫描了我的公共IP,因为port 22已closures,并find了开放的端口
PORT STATE SERVICE 179/tcp open bgp 2000/tcp open cisco-sccp 8291/tcp open unknown
所以我select了端口8291和8000,并将端口从tplink路由器转发到树莓ssh服务器的静态ip。 我可以用密码在本地轻松SSH入服务器。 但是当我的公网IP(从局域网/外部局域网使用腻子)
ssh -v [email protected] -p 8291 or [email protected] port 8291
它会卡住": Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2"并在一两分钟后给出"ssh_exchange_identification: Connection closed by remote host"其他开放端口给出相同的结果,但速度更快。 (细节)
ssh -v [email protected] -p 8291 OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to public.ip [public.ip] port 8291. debug1: Connection established. # that does mean connection established once debug1: identity file /home/ph03n1x/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/ph03n1x/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ph03n1x/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ph03n1x/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ph03n1x/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ph03n1x/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ph03n1x/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ph03n1x/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 # gets stuck at this stage even with -vvv no debug messgage and ends with following ssh_exchange_identification: Connection closed by remote host
我检查了我的服务器auth.log似乎没有列出日志logging的尝试。 这里是我的networkingnetstat -tupan的一些有用的细节:
sudo netstat -tupan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8291 0.0.0.0:* LISTEN 1094/sshd tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 1094/sshd tcp 0 92 192.168.0.117:8291 ESTABLISHED 939/sshd: pi [priv] udp 0 0 0.0.0.0:68 0.0.0.0:* 394/dhcpcd udp 0 0 192.168.0.101:123 0.0.0.0:* 515/ntpd udp 0 0 192.168.0.117:123 0.0.0.0:* 515/ntpd # raspberry pi with static ip udp 0 0 127.0.0.1:123 0.0.0.0:* 515/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 515/ntpd udp 0 0 0.0.0.0:5353 0.0.0.0:* 378/avahi-daemon: r udp 0 0 0.0.0.0:48445 0.0.0.0:* 378/avahi-daemon: r udp6 0 0 fe80::1c85:89ee:956:123 :::* 515/ntpd udp6 0 0 ::1:123 :::* 515/ntpd udp6 0 0 :::123 :::* 515/ntpd udp6 0 0 :::5353 :::* 378/avahi-daemon: r udp6 0 0 :::51513 :::* 378/avahi-daemon: r
sshdconfiguration:
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for #Port 22 # changed to following =============== Port 8291 Port 8000 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: # should I listen of the gateway 192.168.0.1 ?? ? ? ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin without-password StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no # is there anything to do with this ? ? ? #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
远程尝试后的authentication日志,后来我从局域网的Ubuntu的盒子,这是logging在这里(细节)的SSH:
Aug 7 08:06:59 raspberrypi sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Aug 7 08:06:59 raspberrypi sudo: pam_unix(sudo:session): session closed for user root Aug 7 08:17:01 raspberrypi CRON[1329]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 7 08:17:01 raspberrypi CRON[1329]: pam_unix(cron:session): session closed for user root Aug 7 08:36:33 raspberrypi sshd[956]: Received disconnect from 192.168.0.13: 11: disconnected by user Aug 7 08:36:33 raspberrypi sshd[939]: pam_unix(sshd:session): session closed for user pi Aug 7 08:36:33 raspberrypi systemd-logind[372]: Removed session c3. Aug 7 08:36:50 raspberrypi sshd[1374]: Connection closed by 192.168.0.13 [preauth] Aug 7 08:17:05 raspberrypi systemd-logind[360]: New seat seat0. Aug 7 08:17:05 raspberrypi sshd[469]: Server listening on 0.0.0.0 port 8000. Aug 7 08:17:05 raspberrypi sshd[469]: Server listening on 0.0.0.0 port 8291. Aug 7 08:17:07 raspberrypi login[564]: pam_unix(login:session): session opened for user pi by LOGIN(uid=0) Aug 7 08:17:07 raspberrypi sshd[469]: Received SIGHUP; restarting. Aug 7 08:17:07 raspberrypi systemd: pam_unix(systemd-user:session): session opened for user pi by (uid=0) Aug 7 08:17:07 raspberrypi systemd-logind[360]: New session c1 of user pi. Aug 7 08:17:07 raspberrypi sshd[469]: Server listening on 0.0.0.0 port 8000. Aug 7 08:17:07 raspberrypi sshd[469]: Server listening on 0.0.0.0 port 8291. Aug 7 08:17:08 raspberrypi lightdm: pam_unix(lightdm-autologin:session): session opened for user pi by (uid=0) Aug 7 08:17:08 raspberrypi systemd-logind[360]: New session c2 of user pi. Aug 7 08:17:10 raspberrypi polkitd(authority=local): Registered Authentication Agent for unix-session:c2 (system bus name :1.7 [lxpolkit], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) Aug 7 14:23:36 raspberrypi sshd[974]: Accepted password for pi from 192.168.0.13 port 42446 ssh2 Aug 7 14:23:36 raspberrypi sshd[974]: pam_unix(sshd:session): session opened for user pi by (uid=0) Aug 7 14:23:36 raspberrypi systemd-logind[360]: New session c3 of user pi.
后来我发现我和ISP之间还有另一个路由器,而不是直接的公共IP(注意tplink pannel)。 它在这方面有什么业务吗?
MAC Address: hex-hex-hex... IP Address: 192.168.120.231 PPPoE Subnet Mask: 255.255.255.0 Default Gateway: 192.168.120.231 DNS Server: 123.456.789.000 , 8.8.4.4 Online Time: 0 day(s) 03:49:20
我的Unix防火墙closures,iptables -L有简单的输出。 那么,我该如何解决这个问题呢?
我之前也有过类似的问题,只是没有一个树莓派..这是因为公共IP和Pi的本地IP是不同的。 所以[email protected]不会工作,我不得不ssh而不通过用户名,让SSH连接,然后要求用户名。 然后使用[email protected]来validation。
西