この問題を解決するのに役立ちます。
私の考えではnftablesServer-3でブロックする(Debian-10)SSHログインします(macOSクライアントから)。
以下のすべての情報に関する追加の注意:Ubuntu、Kali、TailsなどのディストリビューションはDebian GNU / Linuxに基づいています。私はDebian GNU / Linux 10 Busterを使用しています(3つのサーバーにはDebian-10があり、2つのDebian-10クライアント/ワークステーション/ノートブックがあります)。以下に示すユーザー「erik」は、Debianの一般ユーザーアカウントです。私はmacOS Sierra 10.12.6 MacBookも使用していますが、言及されているユーザー「macUsr」は「admin」(別名「管理者」)タイプの特権macOSユーザーアカウントです。
Server-3コンピュータでnftablesを起動します。
root@SRVR3:~ # systemctl start nftables.service
間違い/質問:macOS(SSHクライアントコンピュータ)端末に表示されます。nftablesはい存在する/有効:
macOSbook:~ macUsr$ /usr/bin/ssh -vvv SRVR3_root_sshd
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/macUsr/.ssh/config
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 522: Applying options for SRVR3_root_sshd
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 755: Applying options for *
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug2: resolving "SRVR3.IPv4.ADRS" port 5022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to SRVR3.IPv4.ADRS [SRVR3.IPv4.ADRS] port 5022.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 17829 ms remain after connect
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3 type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_NT_eu-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10
debug1: match: OpenSSH_7.9p1 Debian-10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to SRVR3.IPv4.ADRS:5022 as 'root'
debug3: rekey after 104857600 bytes, 3600 seconds
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,ext-info-c
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: [email protected],zlib,none
debug2: compression stoc: [email protected],zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group18-sha512
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 4106/8192
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:BuDY...IfNg
debug3: verify_host_key_dns
debug1: skipped DNS lookup for numerical hostname
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug1: Host '[SRVR3.IPv4.ADRS]:5022' is known and matches the RSA host key.
debug1: Found key in /Users/macUsr/.ssh/known_hosts:11
debug2: bits set: 4175/8192
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 6553600 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 6553600 blocks
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_NT_eu (0x7fe9d8c1f8b0), explicit, agent
debug2: key: (0x7fe9d8d01ac0), agent
debug2: key: [email protected] (0x7fe9d8d02690), agent
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr (0x7fe9d8d01410), explicit
debug2: key: /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr (0x7fe9d8d014d0), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
Authentication failed.
私の例では、「ssh-userauth」の間にエラーが発生しているようです。認証に失敗しました。「発生する。
Server-3 コンピュータで (パケットフィルタリング) ファイアウォールをオフにします。
root@SRVR3:~ # systemctl stop nftables.service
このコードはmacOS(SSHクライアント)端末に表示されます。nftablesはい去る/障害のある:
macOSbook:~ macUsr$ /usr/bin/ssh -vvv SRVR3_root_sshd
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/macUsr/.ssh/config
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 522: Applying options for SRVR3_root_sshd
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 755: Applying options for *
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug2: resolving "SRVR3.IPv4.ADRS" port 5022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to SRVR3.IPv4.ADRS [SRVR3.IPv4.ADRS] port 5022.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 17830 ms remain after connect
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3 type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10
debug1: match: OpenSSH_7.9p1 Debian-10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to SRVR3.IPv4.ADRS:5022 as 'root'
debug3: rekey after 104857600 bytes, 3600 seconds
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,ext-info-c
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: [email protected],zlib,none
debug2: compression stoc: [email protected],zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group18-sha512
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 4121/8192
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:BuDY...IfNg
debug3: verify_host_key_dns
debug1: skipped DNS lookup for numerical hostname
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug1: Host '[SRVR3.IPv4.ADRS]:5022' is known and matches the RSA host key.
debug1: Found key in /Users/macUsr/.ssh/known_hosts:11
debug2: bits set: 4153/8192
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 6553600 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 6553600 blocks
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3 (0x7ff42f411ff0), explicit, agent
debug2: key: (0x7ff42f412950), agent
debug2: key: [email protected] (0x7ff42f413430), agent
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr (0x7ff42f50e900), explicit
debug2: key: /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr (0x7ff42f50ea30), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,hostbased
debug3: start over, passed a different list publickey,hostbased
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 2071
debug2: input_userauth_pk_ok: fp SHA256:s+We...4zeM
debug3: sign_and_send_pubkey: RSA SHA256:s+We...4zeM
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
Authenticated to SRVR3.IPv4.ADRS ([SRVR3.IPv4.ADRS]:5022).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env ...
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env ...
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Linux SRVR3 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 15 01:20:03 2019 from cpe-NNN-NNN-NNN-NNN.socal.res.rr.com
root@SRVR3:~#
したがって、上記でnftablesがダウンすると、強力なSSHキーを使用するServer-3のSSHログインがすぐに(約7秒以内に)適用されることがはっきりとわかります。
しかし、nftablesファイアウォールがオンになっているか有効になっているときにSSHを介してサーバーにログインしたいと思います。
上記の行番号は、公開ビューのあまり必要ない部分を削除するために多くのコメント/コメント行を削除したため、表示された構成ファイルと一致しません。
macOSbook(クライアント)コンピュータ側で構成/設定情報:
ユーザーのSSH構成とSSH鍵ペアファイル、およびその権限と所有権:
macOSbook:~ macUsr$ cd ~/.ssh/
macOSbook:.ssh macUsr$ ls -lGA
total 608
-rw-r--r--@ 1 macUsr staff 6148 Jul 25 18:36 .DS_Store
drwx------ 5 macUsr admin 170 Aug 8 23:54 allow_keys
-rw-------@ 1 macUsr admin 57140 Aug 15 04:08 config
drwx------ 2 macUsr admin 68 Jul 25 18:36 disallow_keys
-rw------- 1 macUsr admin 1766 Feb 28 2016 github_rsa
-rw-r-----@ 1 macUsr admin 399 Feb 28 2016 github_rsa.pub
-rw------- 1 macUsr admin 419 Jul 25 05:51 id_ed25519_key_MB_macUsr
-rw-r----- 1 macUsr admin 104 Jul 25 05:51 id_ed25519_key_MB_macUsr.pub
-rw------- 1 macUsr admin 419 Jul 25 05:50 id_ed25519_key_MB_macUsr_to_SRVR1
-rw-r----- 1 macUsr admin 104 Jul 25 05:50 id_ed25519_key_MB_macUsr_to_SRVR1.pub
-rw------- 1 macUsr admin 419 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR2
-rw-r----- 1 macUsr admin 104 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR2.pub
-rw------- 1 macUsr admin 419 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR3
-rw-r----- 1 macUsr admin 104 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR3.pub
-rw------- 1 macUsr admin 12603 Jul 25 05:43 id_rsa-16kb_key_MB_macUsr
-rw-r----- 1 macUsr admin 2796 Jul 25 05:43 id_rsa-16kb_key_MB_macUsr.pub
-rw------- 1 macUsr admin 12603 Jul 25 05:21 id_rsa-16kb_key_MB_macUsr_to_SRVR1
-rw-r----- 1 macUsr admin 2796 Jul 25 05:21 id_rsa-16kb_key_MB_macUsr_to_SRVR1.pub
-rw------- 1 macUsr admin 12603 Jul 25 05:30 id_rsa-16kb_key_MB_macUsr_to_SRVR2
-rw-r----- 1 macUsr admin 2796 Jul 25 05:30 id_rsa-16kb_key_MB_macUsr_to_SRVR2.pub
-rw------- 1 macUsr admin 12603 Jul 25 05:38 id_rsa-16kb_key_MB_macUsr_to_SRVR3
-rw-r----- 1 macUsr admin 2796 Jul 25 05:38 id_rsa-16kb_key_MB_macUsr_to_SRVR3.pub
-rw------- 1 macUsr admin 6363 Jul 25 05:49 id_rsa-8kb_key_MB_macUsr
-rw-r----- 1 macUsr admin 1428 Jul 25 05:49 id_rsa-8kb_key_MB_macUsr.pub
-rw------- 1 macUsr admin 6363 Jul 25 05:44 id_rsa-8kb_key_MB_macUsr_to_SRVR1
-rw-r----- 1 macUsr admin 1428 Jul 25 05:44 id_rsa-8kb_key_MB_macUsr_to_SRVR1.pub
-rw------- 1 macUsr admin 6363 Jul 25 05:47 id_rsa-8kb_key_MB_macUsr_to_SRVR2
-rw-r----- 1 macUsr admin 1428 Jul 25 05:47 id_rsa-8kb_key_MB_macUsr_to_SRVR2.pub
-rw------- 1 macUsr admin 6367 Jul 25 05:48 id_rsa-8kb_key_MB_macUsr_to_SRVR3
-rw-r----- 1 macUsr admin 1428 Jul 25 05:48 id_rsa-8kb_key_MB_macUsr_to_SRVR3.pub
drwx------ 5 macUsr admin 170 Aug 8 23:54 keys_from_others
-rw------- 1 macUsr admin 9467 Aug 8 19:00 known_hosts
SSH構成(システム全体)ファイルとその権限と所有権:
macOSbook:~ macUsr$ cd /etc/ssh
macOSbook:ssh macUsr$ ls -lGA
total 120
drwxr-x--- 7 macUsr wheel 238 Aug 7 18:19 bak_2019-08-07
-rw-r----- 1 root wheel 553185 Jan 23 2017 moduli
-rw-r----- 1 root wheel 4546 Aug 15 03:46 ssh_config
-rw-r----- 1 root wheel 1676 Jul 30 2016 ssh_config~orig
-rw-r----- 1 root wheel 5333 Aug 10 00:08 sshd_config
-rw-r----- 1 root wheel 4161 Jun 3 2015 sshd_config~previous
私は16kbit RSAキーのみを使用します。
(構成ファイルの)関連コードをここに直接貼り付けることはできません。 StackOverFlow/StackExchangeは30k以降にオーバーフローします!
したがって、コード/config/etcをgithub gistに貼り付けて、ここにリンクを共有してください。
これはmacOS(SSHクライアント)コンピュータ用です。~/.ssh/config文書。
これはServer-3(SSHサーバー)コンピュータです。/etc/ssh/sshd_config文書。
これはServer-3(SSHサーバー)コンピュータです。/etc/nftables.conf文書。
Server-3「root」ユーザーのSSH構成とSSHキーペアIDファイルは、その権限と所有権とともに〜/ .ssh /フォルダにあります。
root@SRVR3:~# ls -aLAlist --color=auto ~/.ssh/
total 100
393217 4 drwx------ 9 root root 4096 Aug 16 03:42 ..
393227 4 drwx------ 2 root root 4096 Aug 8 18:53 .
1711181 4 -rw-r----- 1 root root 2781 Aug 8 18:22 id_rsa_key_SRVR1_To_SRVR3.pub
1711180 4 -rw-r----- 1 root root 2781 Aug 8 18:22 id_rsa_key_SRVR2_To_SRVR3.pub
1711181 4 -rw-r----- 1 root root 2781 Aug 8 18:22 id_rsa_key_DEB1_To_SRVR3.pub
1711180 4 -rw-r----- 1 root root 2781 Aug 8 18:22 id_rsa_key_DEB2_To_SRVR3.pub
1711179 4 -rw-r----- 1 root root 2796 Aug 8 18:22 id_rsa-16kb_key_MB_macUsr_to_SRVR3.pub
1711178 4 -rw-r----- 1 root root 2781 Aug 8 18:21 id_rsa_key_SRVR3.pub
1711175 16 -rw------- 1 root root 12717 Aug 8 18:21 id_rsa_key_SRVR3_To_SRVR1
1711176 4 -rw-r----- 1 root root 2781 Aug 8 18:21 id_rsa_key_SRVR3_To_SRVR1.pub
1711171 16 -rw------- 1 root root 12717 Aug 8 18:21 id_rsa_key_SRVR3_To_SRVR2
1711174 4 -rw-r----- 1 root root 2781 Aug 8 18:21 id_rsa_key_SRVR3_To_SRVR2.pub
1711177 16 -rw------- 1 root root 12717 Aug 8 18:21 id_rsa_key_SRVR3
1705032 4 -rw------- 1 root root 399 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR2
1705033 4 -rw-r----- 1 root root 89 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR2.pub
1705030 4 -rw------- 1 root root 399 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR1
1705031 4 -rw-r----- 1 root root 89 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR1.pub
393228 12 -rw------- 1 root root 10103 Aug 2 18:06 authorized_keys
393223 8 -rw------- 1 root root 4300 Jul 25 22:24 known_hosts
Server-3 /etc/ssh/フォルダのSSH構成とSSHホストキーペアファイルとその権限と所有権:
root@SRVR3:~# ls -aLAlist --color=auto /etc/ssh/
total 760
1704605 4 drwxr-xr-x 6 root root 4096 Aug 14 22:38 .
1703937 4 drwxr-xr-x 96 root root 4096 Aug 14 22:31 ..
1704958 20 -rw-r----- 1 root root 17775 Aug 14 19:10 sshd_config
1704606 36 -rw-r--r-- 1 root root 33098 Aug 7 23:01 ssh_config
1704954 4 -rw-r----- 1 root root 2781 Jul 23 06:00 ssh_host_rsa_key_SRVR3.pub
1704927 16 -rw------- 1 root root 12717 Jul 23 06:00 ssh_host_rsa_key_SRVR3
1704291 4 -rw------- 1 root root 399 Jul 23 05:58 ssh_host_ed25519_key_SRVR3
1704920 4 -rw-r----- 1 root root 89 Jul 23 05:58 ssh_host_ed25519_key_SRVR3.pub
1704047 4 drwxr-x--- 2 root root 4096 Jul 23 05:57 bak
1704625 552 -rw-r----- 1 root root 565189 Apr 8 03:13 moduli
nftablesが有効になっているときにmacOS /すべてのSSHクライアントがSSHサーバーにログインできるように、問題を見つけて修正するのに役立ちます。
編集:Server-3にファイル権限+所有権のリストを追加しました。
答え1
nftablesファイアウォールを使用するときに大きなSSHキーとSSH接続を使用すると、SSHがさまざまなコンポーネントを処理して通過するのに少し時間がかかるため、SSH認証プロセス全体に時間がかかりますが、指定/設定した時間設定で十分ですしませんでした。
nftablesが有効/無効になっていると、古いmacOSシステムからServer-3へのSSH接続には通常約10秒かかります。 (したがって、nftablesがロード/実行されていない場合は、初期時間設定である20秒または18秒で十分です。)
しかし、SSHサーバーでnftablesがロードされ、開かれて有効になっている場合、古いmacOSシステム(およびサーバー側のnftablesネットワークパケットフィルタリングアクティビティなど)このSSH認証プロセスを完了するには、さらに15〜20秒が必要です。
これ解決策はい: 制限時間/間隔/活動長の値を増やす(ServerAliveInterval+ServerAliveCountMax と ClientAliveInterval+生きているクライアントの最大数)、または、タイムアウト設定の削除(デフォルト値の使用)、次のようになります。
この行を削除/無効化(またはコメントアウト)します。~/.ssh/configmacOS SSHクライアントコンピュータのファイル:
# ConnectTimeout 30
# ConnectTimeout 15
# ConnectTimeout 18
# ConnectionAttempts 1
~/.ssh/config ファイルで次の設定/行を変更しました。
送信者:
ServerAliveInterval 20
ServerAliveCountMax
1より大きい設定は、20 x 1 = 20秒間のみ接続をアクティブに保ちます。
到着する:
ServerAliveInterval 18
ServerAliveCountMax 2
上記の設定は、18 x 2 = 36秒間接続を維持します。
次の設定/ラインを変更しました。/etc/ssh/sshd_configDebian-10 サーバーシステムのファイル:
送信者:
ClientAliveInterval 30
ClientAliveCountMax
1より大きい設定は、30 x 1 = 30秒間のみ接続をアクティブに保ちます。
到着する:
ClientAliveInterval 18
ClientAliveCountMax 2
上記の設定は、18 x 2 = 36秒間接続を維持します。
(macOS)のログ情報:man ssh_config
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are being
sent, ssh will disconnect from the server, terminating the session.
It is important to note that the use of server alive messages is
very different from TCPKeepAlive (below). The server alive messages
are sent through the encrypted channel and therefore will not be
spoofable. The TCP keepalive option enabled by TCPKeepAlive is
spoofable. The server alive mechanism is valuable when the client
or server depend on knowing when a connection has become inactive.
The default value is 3. If, for example, ServerAliveInterval (see
below) is set to 15 and ServerAliveCountMax is left at the default,
if the server becomes unresponsive, ssh will disconnect after
approximately 45 seconds.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been
received from the server, ssh(1) will send a message through the
encrypted channel to request a response from the server.
The default is 0, indicating that these messages will not be sent
to the server.
ConnectionAttempts
Specifies the number of tries (one per second) to make before exiting.
The argument must be an integer. This may be useful in scripts if
the connection sometimes fails. The default is 1.
ConnectTimeout
Specifies the timeout (in seconds) used when connecting to the SSH
server, instead of using the default system TCP timeout. This value
is used only when the target is down or really unreachable, not
when it refuses the connection.
(Debian Server-3)のログ情報:man sshd_config
ClientAliveCountMax
Sets the number of client alive messages which may be sent without
sshd(8) receiving any messages back from the client. If this threshold
is reached while client alive messages are being sent, sshd will
disconnect the client, terminating the session. It is important to
note that the use of client alive messages is very different from
TCPKeepAlive. The client alive messages are sent through the
encrypted channel and therefore will not be spoofable. The TCP
keepalive option enabled by TCPKeepAlive is spoofable.
The client alive mechanism is valuable when the client or server
depend on knowing when a connection has become inactive.
The default value is 3. If ClientAliveInterval is set to 15, and
ClientAliveCountMax is left at the default, unresponsive SSH clients
will be disconnected after approximately 45 seconds.
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been
received from the client, sshd(8) will send a message through the
encrypted channel to request a response from the client. The default
is 0, indicating that these messages will not be sent to the client.
上記の段落で説明した設定が変更されたら、nftablesがオン/アクティブになっていても、すべてのSSHクライアントコンピュータがSSHサーバーに接続できるようになりました。現在、SSHを介した接続にはnftablesファイアウォールがオン/アクティブになってから約35〜45秒かかります。
20〜40秒以内に別のSSHトンネルを再作成したいので、これらの設定/時間値をさらに微調整する必要があります。クライアントとDebian SSHサーバー)。