问题[openssh](ubuntu)

您好我正在尝试为 Ubuntu 20.04 安装 openssh-client-hmac。它还不存在吗？我应该降级到 Ubuntu 18.04 吗？

我需要它，因为我正在启用 FIPS，并且正在关注 Ubuntu 18.04 的文档https://security-certs.docs.ubuntu.com/en/fips - 因为我希望它可以在 Ubuntu 20.04 上运行。完整的命令是：

 sudo apt install openssh-client openssh-client-hmac openssh-server openssh-server-hmac openssl libssl1.1 libssl1.1-hmac fips-initramfs linux-fips

从这个列表中，我也无法安装openssh-server-hmac libssl1.1-hmac fips-initramfs linux-fips

所以看起来模式是 Ubuntu 20.04 的 hmac 和 fips 正在进行中？

看起来这个选项在 Ubuntu 20.04 上不再免费？

这个页面https://manpages.ubuntu.com/manpages/focal/man1/ubuntu-advantage.1.html 让我执行命令

sudo ubuntu-advantage enable fips

返回

To use 'fips' you need an Ubuntu Advantage subscription
Personal and community subscriptions are available at no charge
See https://ubuntu.com/advantage

我看到可用的个人使用或企业许可证。小型企业有什么选择吗？

当我输入密码以解锁我的 ssh 密钥时，我勾选了“自动解锁此密钥”选项，所以现在我将自动登录，尽管我不是故意的。我怎样才能恢复这个？

我无法从我的 mac 登录到我的 ubuntu 机器。我尝试了很多东西，但没有任何效果。我正在使用 ubuntu 20.04

这是我尝试过的：

• 安装 openssh-client openssh-server
• 将端口从 22 更改为 2222
• 启动服务器-> lissening 到端口 2222
• 将端口 22 和 2222 添加到 ufw
• 安装并重新安装 openssh-client openssh-server

我可以通过我的 ubuntu 登录到我的 ubuntu ssh localhost -p2222

我无法通过我的 ubuntu 登录到我的 ubuntu ssh name@publicip -p 2222

我无法通过我的 Mac 登录到我的 ubuntu ssh name@publicip -p 2222

我错过了什么？

使用OpenSSH，我已启用 ssh-login 到我的 Ubuntu 18.04 机器，调用它Remote并且我的用户帐户Remote被调用Remote-User。我还确保只能通过公钥身份验证登录。这是问题的实际描述。

我有两台本地机器，分别称为Local-A和Local-B，每台机器都有一个用户，分别称为User-A和User-B。我想限制Remote-User@Remote仅访问User-A和禁止其他用户User-B，无论他们的公钥是否已添加到. 我尝试通过添加行来做到这一点.ssh/authorized_keysRemote-User@Remote

AllowUsers User-A User-B

到，sshd_config但我注意到即使我只是有User-Bssh 访问Remote-User@Remote

AllowUsers User-A

这让我认为任何将公钥添加到文件中Remote-User@Remote的.ssh/authorized_keys用户都可以访问，而不管我尝试使用AllowUsers.

我想知道是否有人对如何解决这个问题有任何建议。请记住，我对这个领域并不精通，所以我可能遗漏了重要信息。如果是这样，请告诉我，我很乐意更新这个问题。

我试图为我的服务器（Ubuntu 20.04）设置一个新的 sftp 用户。我创建了用户my-user，在他的文件中添加了一个公钥，.ssh/authorized_keys并决定在任何事情之前测试 SSH 登录。令我惊讶的是，Putty 在成功登录后立即关闭连接

我尝试从 Windows PowerShell 进行 ssh 并得到相同的结果（成功登录后立即断开连接）

最后，我尝试使用此登录名进行 sftp ... 效果很好，我仍然保持连接

我根本没有为这个用户设置 sftp 限制，所以我不知道是什么原因造成的。

这是我的 /etc/ssh/sshd_config

AcceptEnv LANG LC_*
AllowAgentForwarding no
#AllowGroups sudo
AllowTcpForwarding no
Banner /etc/issue.net
ChallengeResponseAuthentication no
Ciphers [email protected],[email protected],aes256-ctr
ClientAliveCountMax 0
ClientAliveInterval 3600
Compression no
GSSAPIAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
Include /etc/ssh/sshd_config.d/*.conf
KerberosAuthentication no
KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
LogLevel VERBOSE
LoginGraceTime 20
Macs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
MaxAuthTries 3
MaxSessions 10
MaxStartups 10:30:60
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PermitUserEnvironment no
Port 22
PrintLastLog yes
PrintMotd no
RekeyLimit 512M 1h
StrictModes yes
Subsystem sftp internal-sftp
TCPKeepAlive no
UseDNS no
UsePAM yes
X11Forwarding no

这是包含的唯一其他配置文件：

PermitRootLogin no
DebianBanner no
Protocol 2
LoginGraceTime 10
PasswordAuthentication no
ClientAliveInterval 3600
ClientAliveCountMax 0
AllowUsers ubuntu my-user
X11Forwarding no

最后，这是ssh -vvv my-user@myip认证后的输出：

debug1: Authentication succeeded (publickey).
Authenticated to XXX.XXX.XXX.XXX ([XXX.XXX.XXX.XXX]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug1: console supports the ansi parsing
debug3: Successfully set console output code page from:437 to 65001
debug3: Successfully set console input code page from:437 to 65001
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 4
debug1: Remote: /home/my-user/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug3: Successfully set console output code page from 65001 to 437
debug3: Successfully set console input code page from 65001 to 437
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

debug3: send packet: type 1
debug3: Successfully set console output code page from 65001 to 437
debug3: Successfully set console input code page from 65001 to 437
Connection to XXX.XXX.XXX.XXX closed.
Transferred: sent 2912, received 2632 bytes, in 0.3 seconds
Bytes per second: sent 8646.7, received 7815.3
debug1: Exit status 1

我的家庭网络中有两台机器，我想通过 SSH 连接它们。第一台机器安装了本地 ip192.168.1.23和openssh 远程客户端。第二个安装了本地 ip 192.168.1.169和openssh 服务器。

我在第二台机器上启动服务，

sudo systemctl start ssh

然后我去客户端机器并无法连接，

ssh [email protected]:22
ssh: Could not resolve hostname 0.0.0.0:22: Name or service not known

在上述失败之后，我回到服务器机器并检查了ssh服务状态，表明服务器正在监听 0.0.0.0:22。

1. （0.0.0.0:22）可以吗？
2. 如何通过 SSH 建立该连接？
3. 是ssh和sshd一样的服务吗？

我正在运行 Ubuntu 20.04 桌面并且无法通过 SSH 连接到它，出现错误（公钥、密码）。

以下是日志：

ssh -vvv [email protected] 

OpenSSH_8.2p1 Ubuntu-4, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.0.122 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.0.122 [192.168.0.122] port 22.
debug1: Connection established.
debug1: identity file /home/focal/.ssh/id_rsa type 0
debug1: identity file /home/focal/.ssh/id_rsa-cert type -1
debug1: identity file /home/focal/.ssh/id_dsa type -1
debug1: identity file /home/focal/.ssh/id_dsa-cert type -1
debug1: identity file /home/focal/.ssh/id_ecdsa type -1
debug1: identity file /home/focal/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/focal/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/focal/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/focal/.ssh/id_ed25519 type -1
debug1: identity file /home/focal/.ssh/id_ed25519-cert type -1
debug1: identity file /home/focal/.ssh/id_ed25519_sk type -1
debug1: identity file /home/focal/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/focal/.ssh/id_xmss type -1
debug1: identity file /home/focal/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.0.122:22 as 'titan'
debug3: hostkeys_foreach: reading file "/home/focal/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/focal/.ssh/known_hosts:25
debug3: load_hostkeys: loaded 1 keys from 192.168.0.122
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:DL9fd8mBHQHYpOoW+JPNBHV59zdnLcZ/eSgslpp2MyQ
debug3: hostkeys_foreach: reading file "/home/focal/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/focal/.ssh/known_hosts:25
debug3: load_hostkeys: loaded 1 keys from 192.168.0.122
debug1: Host '192.168.0.122' is known and matches the ECDSA host key.
debug1: Found key in /home/focal/.ssh/known_hosts:25
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/focal/.ssh/id_rsa RSA SHA256:NuGqpwc/RSaS5YDdylCqrdnkobzJVVnKtccq6Ia+omM agent
debug1: Will attempt key: /home/focal/.ssh/id_dsa 
debug1: Will attempt key: /home/focal/.ssh/id_ecdsa 
debug1: Will attempt key: /home/focal/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/focal/.ssh/id_ed25519 
debug1: Will attempt key: /home/focal/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/focal/.ssh/id_xmss 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/focal/.ssh/id_rsa RSA SHA256:NuGqpwc/RSaS5YDdylCqrdnkobzJVVnKtccq6Ia+omM agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/focal/.ssh/id_dsa
debug3: no such identity: /home/focal/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/focal/.ssh/id_ecdsa
debug3: no such identity: /home/focal/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/focal/.ssh/id_ecdsa_sk
debug3: no such identity: /home/focal/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/focal/.ssh/id_ed25519
debug3: no such identity: /home/focal/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/focal/.ssh/id_ed25519_sk
debug3: no such identity: /home/focal/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/focal/.ssh/id_xmss
debug3: no such identity: /home/focal/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password: 
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.

我需要使用我的 WSL (Ubuntu 20.04) 从服务器获取数据，为此我运行命令

rsync -av -e "ssh -vvv -oPort=5822" 'address'

其中“地址”当然会替换为实际地址。这样做会导致以下错误

OpenSSH_8.2p1 Ubuntu-4, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving 'adress' port 5822
debug2: ssh_connect_direct
debug1: Connecting to 'address' ['ip'] port 5822.
debug1: connect to address 'ip' port 5822: Resource temporarily unavailable
ssh: connect to host 'adress' port 5822: Resource temporarily unavailable
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(235) [Receiver=3.1.3]

最初在线搜索解决方案让我相信防火墙设置导致了这个问题。但是，尽管在 Windows 上关闭了我的防火墙，并在我的 WSL 上禁用了 UFW，但问题仍然存在。

还有什么我应该尝试的吗？

如果您需要有关我的设置的更多信息，请告诉我

我有一个 Ubuntu 18.04 LTS 服务器，我通常通过 Windows 10 Pro (1903) 的 Putty 连接到该服务器，没有问题。最近我收到了来自 Putty 的警告“服务器支持的第一个密钥交换算法是diffie-hellman-group1-sha1，它低于配置的警告阈值。”

我最初试图继续，但令我惊讶的是，当我输入密码时，我得到了拒绝访问。

现在我了解到这个 kex 被认为是遗留的和/或弱/不安全的。我想了解我的服务器上发生了什么变化/可能发生了什么变化来触发这个，因为我可以在没有这个警告的情况下连接？

我可以做什么（如果有的话）将我的服务器重置为出现此问题之前使用的任何内容？我已经尝试重新安装openssh-server和客户端无济于事。我尝试在/etc/ssh/sshd_config文件中添加KexAlgorithms行，但这会导致 ssh 无法启动。

我知道我可以将该 kex 移到 Putty 中的警告线上方以使警告消失，但我不想这样做，就像我上面提到的那样，即使没有警告，我在登录时也收到拒绝访问。

我在 Windows 10 笔记本电脑的 Virtual Box 上安装了 Ubuntu 20.4（包括 Open SSH）作为虚拟机。我安装了 Samba 以允许机器名称连接。

下面显示了端口 22 上的侦听器，以及 SSH 的状态。

我的ssh_config文件中未注释掉的行是：

Include /etc/ssh/ssh_config.d/*.conf 
Host * 
   Port 22 

Match Group filetransfer 
   ChrootDirectory %h 
   X11Forwarding no 
   AllowTcpForwarding no 
   ForceCommand internal-sftp 
   PasswordAuthentication yes
   PubkeyAuthentication no 

我打算先尝试用户/密码身份验证，然后在我开始工作后进行公钥身份验证。

在 Windows 命令提示符下，我可以 ping 机器，但不能对端口 22 执行“telnet”。

我还运行了这个命令来禁用任何防火墙：

sudo ufw disable

从这篇相关文章（如何开始监听端口 22）中，我从 Ubuntu 终端尝试了以下操作：

ssh -vvv localhost 

我不确定那是做什么的，因为我想从我的 Windows 机器连接。它响应以下内容：

debug1: /etc/ssh/ssh_confg line 19: cinclude /etc/ssh/ssh_config.d/*.conf matched no files 
debug1: /etc/ssh/ssh_config lin 21: Applying optiosn for * 
debug2: checking match for "group filetransfer' but localhost original localhost 
Unsupported Match attribute Group 
/etc/ssh/ssh_config line 51: Bad Match condition 

我不确定我是否应该运行它，但也许它表明我ssh_config的不正确？我检查了几个博客。

我按照这里的教程设置用户和组：https ://gist.github.com/lymanlai/3008244

当我安装 Ubuntu 20.4 时，我选中了“安装 OpenSSH 服务器”框，如下所示：