问题[ssh](unix)

每次我尝试运行时sudo rsnapshot -v alpha都会出现这种类型的错误（我拥有的每个备份条目都会出现错误）：

    ERROR: /usr/bin/rsync returned 255 while processing [email protected]:/etc/
    /usr/bin/rsync -a --delete --numeric-ids --relative --delete-excluded \
        --rsh=/usr/bin/ssh -i /home/user/ssh/id_ed25519 \
        [email protected]:/usr/share/ \
        /var/cache/rsnapshot/alpha.0/server_backup/

1. 是的，服务器和本机都安装了rsync
2. 是的，如果我尝试使用这些 root 凭据从远程手动复制一些文件，rsync 就可以正常工作
3. 有一件事可能是它。当我尝试运行 errored out 命令时，它要求在 的参数周围加上引号rsh。否则它会抛出语法错误。但我不确定如何强制 rsnapshot 执行此操作。如果我在 rsh 键周围加上引号来运行 errored out 命令，它也会以 255 代码出错。
4. 防火墙没有阻止 ssh。
5. 服务器仅允许公钥认证
6. 我在 Vultr 上托管我的 ubuntu 服务器

这是我的rsnapshot.conf文件

    #################################################
    # rsnapshot.conf - rsnapshot configuration file #
    #################################################
    #                                               #
    # PLEASE BE AWARE OF THE FOLLOWING RULE:        #
    #                                               #
    # This file requires tabs between elements      #
    #                                               #
    #################################################

    #######################
    # CONFIG FILE VERSION #
    #######################

    config_version  1.2

    ###########################
    # SNAPSHOT ROOT DIRECTORY #
    ###########################

    # All snapshots will be stored under this root directory.
    #
    snapshot_root   /var/cache/rsnapshot/

    # If no_create_root is enabled, rsnapshot will not automatically create the
    # snapshot_root directory. This is particularly useful if you are backing
    # up to removable media, such as a FireWire or USB drive.
    #
    #no_create_root 1

    #################################
    # EXTERNAL PROGRAM DEPENDENCIES #
    #################################

    # LINUX USERS:   Be sure to uncomment "cmd_cp". This gives you extra features.
    # EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
    #
    # See the README file or the man page for more details.
    #
    cmd_cp      /bin/cp

    # uncomment this to use the rm program instead of the built-in perl routine.
    #
    cmd_rm      /bin/rm

    # rsync must be enabled for anything to work. This is the only command that
    # must be enabled.
    #
    cmd_rsync   /usr/bin/rsync

    # Uncomment this to enable remote ssh backups over rsync.
    #
    cmd_ssh /usr/bin/ssh

    # Comment this out to disable syslog support.
    #
    cmd_logger  /usr/bin/logger

    # Uncomment this to specify the path to "du" for disk usage checks.
    # If you have an older version of "du", you may also want to check the
    # "du_args" parameter below.
    #
    #cmd_du     /usr/bin/du

    # Uncomment this to specify the path to rsnapshot-diff.
    #
    #cmd_rsnapshot_diff /usr/bin/rsnapshot-diff

    # Specify the path to a script (and any optional arguments) to run right
    # before rsnapshot syncs files
    #
    #cmd_preexec    /path/to/preexec/script

    # Specify the path to a script (and any optional arguments) to run right
    # after rsnapshot syncs files
    #
    #cmd_postexec   /path/to/postexec/script

    # Paths to lvcreate, lvremove, mount and umount commands, for use with
    # Linux LVMs.
    #
    #linux_lvm_cmd_lvcreate /sbin/lvcreate
    #linux_lvm_cmd_lvremove /sbin/lvremove
    #linux_lvm_cmd_mount    /bin/mount
    #linux_lvm_cmd_umount   /bin/umount

    #########################################
    #     BACKUP LEVELS / INTERVALS         #
    # Must be unique and in ascending order #
    # e.g. alpha, beta, gamma, etc.         #
    #########################################

    retain  alpha   6
    retain  beta    7
    retain  gamma   4
    #retain delta   3

    ############################################
    #              GLOBAL OPTIONS              #
    # All are optional, with sensible defaults #
    ############################################

    # Verbose level, 1 through 5.
    # 1     Quiet           Print fatal errors only
    # 2     Default         Print errors and warnings only
    # 3     Verbose         Show equivalent shell commands being executed
    # 4     Extra Verbose   Show extra verbose information
    # 5     Debug mode      Everything
    #
    verbose     2

    # Same as "verbose" above, but controls the amount of data sent to the
    # logfile, if one is being used. The default is 3.
    # If you want the rsync output, you have to set it to 4
    #
    loglevel    3

    # If you enable this, data will be written to the file you specify. The
    # amount of data written is controlled by the "loglevel" parameter.
    #
    logfile /var/log/rsnapshot.log

    # If enabled, rsnapshot will write a lockfile to prevent two instances
    # from running simultaneously (and messing up the snapshot_root).
    # If you enable this, make sure the lockfile directory is not world
    # writable. Otherwise anyone can prevent the program from running.
    #
    lockfile    /var/run/rsnapshot.pid

    # By default, rsnapshot check lockfile, check if PID is running
    # and if not, consider lockfile as stale, then start
    # Enabling this stop rsnapshot if PID in lockfile is not running
    #
    #stop_on_stale_lockfile     0

    # Default rsync args. All rsync commands have at least these options set.
    #
    #rsync_short_args   -a
    #rsync_long_args    --delete --numeric-ids --relative --delete-excluded

    # ssh has no args passed by default, but you can specify some here.
    #
    ssh_args    -i /home/user/ssh/id_ed25519

    # Default arguments for the "du" program (for disk space reporting).
    # The GNU version of "du" is preferred. See the man page for more details.
    # If your version of "du" doesn't support the -h flag, try -k flag instead.
    #
    #du_args    -csh

    # If this is enabled, rsync won't span filesystem partitions within a
    # backup point. This essentially passes the -x option to rsync.
    # The default is 0 (off).
    #
    #one_fs     0

    # The include and exclude parameters, if enabled, simply get passed directly
    # to rsync. If you have multiple include/exclude patterns, put each one on a
    # separate line. Please look up the --include and --exclude options in the
    # rsync man page for more details on how to specify file name patterns.
    #
    #include    ???
    #include    ???
    #exclude    ???
    #exclude    ???

    # The include_file and exclude_file parameters, if enabled, simply get
    # passed directly to rsync. Please look up the --include-from and
    # --exclude-from options in the rsync man page for more details.
    #
    #include_file   /path/to/include/file
    #exclude_file   /path/to/exclude/file

    # If your version of rsync supports --link-dest, consider enabling this.
    # This is the best way to support special files (FIFOs, etc) cross-platform.
    # The default is 0 (off).
    #
    #link_dest  0

    # When sync_first is enabled, it changes the default behaviour of rsnapshot.
    # Normally, when rsnapshot is called with its lowest interval
    # (i.e.: "rsnapshot alpha"), it will sync files AND rotate the lowest
    # intervals. With sync_first enabled, "rsnapshot sync" handles the file sync,
    # and all interval calls simply rotate files. See the man page for more
    # details. The default is 0 (off).
    #
    #sync_first 0

    # If enabled, rsnapshot will move the oldest directory for each interval
    # to [interval_name].delete, then it will remove the lockfile and delete
    # that directory just before it exits. The default is 0 (off).
    #
    #use_lazy_deletes   0

    # Number of rsync re-tries. If you experience any network problems or
    # network card issues that tend to cause ssh to fail with errors like
    # "Corrupted MAC on input", for example, set this to a non-zero value
    # to have the rsync operation re-tried.
    #
    #rsync_numtries 0

    # LVM parameters. Used to backup with creating lvm snapshot before backup
    # and removing it after. This should ensure consistency of data in some special
    # cases
    #
    # LVM snapshot(s) size (lvcreate --size option).
    #
    #linux_lvm_snapshotsize 100M

    # Name to be used when creating the LVM logical volume snapshot(s).
    #
    #linux_lvm_snapshotname rsnapshot

    # Path to the LVM Volume Groups.
    #
    #linux_lvm_vgpath   /dev

    # Mount point to use to temporarily mount the snapshot(s).
    #
    #linux_lvm_mountpath    /path/to/mount/lvm/snapshot/during/backup

    ###############################
    ### BACKUP POINTS / SCRIPTS ###
    ###############################

    # REMOTE SERVER
    backup  [email protected]:/home/ server_backup/
    backup  [email protected]:/etc/  server_backup/

    #backup_script  /usr/local/bin/backup_pgsql.sh  localhost/postgres/
    # You must set linux_lvm_* parameters below before using lvm snapshots
    #backup lvm://vg0/xen-home/ lvm-vg0/xen-home/

    # EXAMPLE.COM
    #backup_exec    /bin/date "+ backup of example.com started at %c"
    #backup [email protected]:/home/ example.com/    +rsync_long_args=--bwlimit=16,exclude=core
    #backup [email protected]:/etc/  example.com/    exclude=mtab,exclude=core
    #backup_exec    ssh [email protected] "mysqldump -A > /var/db/dump/mysql.sql"
    #backup [email protected]:/var/db/dump/  example.com/
    #backup_exec    /bin/date "+ backup of example.com ended at %c"

    # CVS.SOURCEFORGE.NET
    #backup_script  /usr/local/bin/backup_rsnapshot_cvsroot.sh  rsnapshot.cvs.sourceforge.net/

    # RSYNC.SAMBA.ORG
    #backup rsync://rsync.samba.org/r   syncftp/    rsync.samba.org/rsyncftp/

我的 sshd 日志如下所示：

2025-01-21T16:47:06.445342+00:00 server sshd[2069]: Connection from 99.11.11.11 port 57908 on 151.131.222.222 port 22 rdomain ""
2025-01-21T16:47:06.445890+00:00 server sshd[2069]: debug1: Local version string SSH-2.0-OpenSSH_9.7p1 Ubuntu-7ubuntu4
2025-01-21T16:47:06.446150+00:00 server sshd[2069]: debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
2025-01-21T16:47:06.446387+00:00 server sshd[2069]: debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 pat OpenSSH* compat 0x04000000
2025-01-21T16:47:06.448025+00:00 server sshd[2069]: debug1: permanently_set_uid: 109/65534 [preauth]
2025-01-21T16:47:06.448401+00:00 server sshd[2069]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2025-01-21T16:47:06.448865+00:00 server sshd[2069]: debug1: SSH2_MSG_KEXINIT sent [preauth]
2025-01-21T16:47:06.473088+00:00 server sshd[2069]: debug1: SSH2_MSG_KEXINIT received [preauth]
2025-01-21T16:47:06.473305+00:00 server sshd[2069]: debug1: kex: algorithm: curve25519-sha256 [preauth]
2025-01-21T16:47:06.473602+00:00 server sshd[2069]: debug1: kex: host key algorithm: ssh-ed25519 [preauth]
2025-01-21T16:47:06.473829+00:00 server sshd[2069]: debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
2025-01-21T16:47:06.474193+00:00 server sshd[2069]: debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
2025-01-21T16:47:06.474496+00:00 server sshd[2069]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
2025-01-21T16:47:06.502026+00:00 server sshd[2069]: debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
2025-01-21T16:47:06.509345+00:00 server sshd[2069]: debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 [preauth]
2025-01-21T16:47:06.509768+00:00 server sshd[2069]: debug1: rekey out after 134217728 blocks [preauth]
2025-01-21T16:47:06.510085+00:00 server sshd[2069]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
2025-01-21T16:47:06.510210+00:00 server sshd[2069]: debug1: Sending SSH2_MSG_EXT_INFO [preauth]
2025-01-21T16:47:06.510573+00:00 server sshd[2069]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
2025-01-21T16:47:06.543286+00:00 server sshd[2069]: debug1: ssh_packet_read_poll2: resetting read seqnr 3 [preauth]
2025-01-21T16:47:06.543606+00:00 server sshd[2069]: debug1: SSH2_MSG_NEWKEYS received [preauth]
2025-01-21T16:47:06.543946+00:00 server sshd[2069]: debug1: rekey in after 134217728 blocks [preauth]
2025-01-21T16:47:06.544260+00:00 server sshd[2069]: debug1: KEX done [preauth]
2025-01-21T16:47:06.636933+00:00 server sshd[2069]: debug1: userauth-request for user root service ssh-connection method none [preauth]
2025-01-21T16:47:06.637064+00:00 server sshd[2069]: debug1: attempt 0 failures 0 [preauth]
2025-01-21T16:47:06.638069+00:00 server sshd[2069]: debug1: PAM: initializing for "root"
2025-01-21T16:47:06.641531+00:00 server sshd[2069]: debug1: PAM: setting PAM_RHOST to "99.11.11.11"
2025-01-21T16:47:06.642045+00:00 server sshd[2069]: debug1: PAM: setting PAM_TTY to "ssh"
2025-01-21T16:47:06.664190+00:00 server sshd[2069]: Connection closed by authenticating user root 99.11.11.11 port 57908 [preauth]
2025-01-21T16:47:06.665162+00:00 server sshd[2069]: debug1: do_cleanup [preauth]
2025-01-21T16:47:06.666011+00:00 server sshd[2069]: debug1: monitor_read_log: child log fd closed
2025-01-21T16:47:06.666354+00:00 server sshd[2069]: debug1: do_cleanup
2025-01-21T16:47:06.666609+00:00 server sshd[2069]: debug1: PAM: cleanup
2025-01-21T16:47:06.667644+00:00 server sshd[2069]: debug1: Killing privsep child 2070
2025-01-21T16:47:06.668031+00:00 server sshd[2069]: debug1: audit_event: unhandled event 12

我的 iptables 规则如下：

Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             mdns.mcast.net       udp dpt:mdns
ACCEPT     udp  --  anywhere             239.200.200.200      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh /* 'dapp_OpenSSH' */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             dns.google           udp dpt:domain
ACCEPT     tcp  --  anywhere             dns.google           tcp dpt:domain

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination

我的 sshd_config 文件：

PermitRootLogin yes


# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# Include /etc/ssh/sshd_config.d/*.conf

# When systemd socket activation is used (the default), the socket
# configuration must be re-generated after changing Port, AddressFamily, or
# ListenAddress.
#
# For changes to take effect, run:
#
#   systemctl daemon-reload
#   systemctl restart ssh.socket
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp  /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

感谢您的关注，希望有人能帮助我解决这个问题。我在这个问题上花了一整天的时间。

如果您认为我可以使用其他工具进行备份，请告诉我。我是系统管理新手，因此非常感激任何帮助！

我正在尝试备份我的项目、数据库和 nginx 环境。为此，我从主服务器进行备份并将其放在 /home/backup/ 中。主服务器上一切正常。

然后，从我的第二台服务器，我创建一个 cron 来通过 SCP 获取该文件。

这是我的命令：

0 13  * * * sudo sshpass -p MyPassword sudo scp -P 40511 -r [email protected]:/home/backup /home

我使用端口 40511 作为 SSH。如果手动启动，该命令可以工作，但使用 cron 则不行。

MyPassword 包含“！”。我尝试过带和不带双引号的情况。

我做错什么了？

当我向 Google 询问 ssh 代理转发如何工作时，它给我提供了许多 SEO 优化垃圾链接，解释了如何配置 ssh-agent。这不是我问的。

我目前遇到一个问题，在 VPN 连接远端的屏幕会话中启动的作业会失败，因为在 VPN 发生故障后它们无法通过 ssh 连接。

通常这些作业依赖于来自源客户端的代理转发来进行连接。我怀疑这里出了什么问题，但更好地了解整个代理转发会有所帮助。

当我从 host0 连接到 hosta 时，host0 上的 ssh-agent 会将我的私钥提供给 host0 上的 ssh 客户端。在 hosta 上，我看到 SSH_AUTH_SOCK 已填充，引用本地套接字。如果我在 hosta 上 ssh hostb，ssh 客户端会以某种方式连接到 host0 上的 ssh-agent。大概是使用 host0-hosta ssh 连接中的备用通道。

hosta 上的 $SSH_AUTH_SOCK 发生了什么？

（fuser $SSH_AUTH_SOCK 表明没有任何东西打开）

就我的屏幕会话而言，如果启动屏幕会话的 ssh 会话已结束，并且我从 host0 到 hosta 启动新的 ssh 会话，那么来自屏幕会话的密钥请求是否会通过新连接发送？

在 FreeBSD 上，我尝试使用以下规则通过端口 22 上的 pf 阻止通过 ssh 进行的暴力破解尝试：

table <bruteforce> persist
pass log inet proto tcp from any to any port 22 flags S/SA keep state \
    (max-src-conn 3, max-src-conn-rate 3/60, \
    overload <bruteforce> flush global)
block in quick from <bruteforce>

我已经使用 上传了配置doas pfctl -f /etc/pf.conf并使用 启用了 pf doas pfctl -e。我正尝试从与配置防火墙的服务器不同的 PC 执行 SSH 暴力攻击（使用 SSH）。但是，当我doas pfctl -t bruteforce -T show在服务器上运行该命令时，没有得到任何结果。暴力攻击正在使用以下命令运行： hydra -l test -P word.txt 192.168.178.82 ssh

使用命令doas tcpdump -i em0 port 22我可以看到请求。

文件/etc/pf.conf配置如下：

set block-policy return

scrub in all fragment reassemble no-df max-mss 1440

nat on em0 from 10.0.0.0/24 to any -> (em0)

set skip on lo0

block in all
block out all

block in quick inet6 all
block out quick inet6 all

pass in quick proto tcp from 192.168.178.0/24 to any port 22 keep state

pass in quick proto tcp to any port 443 keep state
pass out quick proto tcp to any port 443 keep state

pass in quick proto tcp from 127.0.0.1 to 127.0.0.1 port 8080 keep state

pass out quick proto udp from any to any port 53
pass in quick proto udp from any to any port 53

pass out quick on epair1a
pass in quick on epair1a from em0 to any
pass in quick on em0 from 10.0.0.0/24 to any

pass in quick on lo0
pass out quick on lo0


table <bruteforce> persist
pass log inet proto tcp from any to any port 22 flags S/SA keep state \
    (max-src-conn 3, max-src-conn-rate 3/60, \
    overload <bruteforce> flush global)
block in quick from <bruteforce>

和文件 /etc/rc.conf：

#System
clear_tmp_enable="YES"
syslogd_flags="-ss"
hostname="test"
keymap="it.kbd"
sshd_enable="YES"
moused_nondefault_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
auditd_enable="YES"

#Network
ipv6_enable="NO"
ipv6_network_interfaces="none"
ipv6_activate_all_interfaces="NO"
ipv6_gateway_enable="NO"
ifconfig_em0="DHCP"

#Level 2 ISO/OSI: ipfw
firewall_enable="YES"

#Level 3 ISO/OSI: pf
firewall_enable="YES"
firewall_type="client"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_logif="YES"

# Jails
cbsd_workdir="/home/user/jails"
cbsdd_enable="YES"

文件 /etc/sysctl.conf：

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
vfs.zfs.min_auto_ashift=12

#Network
net.inet6.ip6.enable=0
net.inet6.ip6.forwarding="0"
net.inet.ip.fw.verbose_limit=5

#Hardening
kern.securelevel="1"
hw.kbd.keymap_restrict_change="4"    # disallow keymap changes for non-privileged users
kern.ipc.shm_use_phys="1"            # lock shared memory into RAM and prevent it from being paged out to swap (default 0, disabled)
kern.msgbuf_show_timestamp="1"       # display timestamp in msgbuf (default 0)
kern.randompid="1"                # calculate PIDs by the modulus of the integer given, choose a random int (default 0)
net.inet.icmp.drop_redirect="1"      # no redirected ICMP packets (default 0)
net.inet.ip.check_interface="1"      # verify packet arrives on correct interface (default 0)
net.inet.ip.portrange.first="1024"   # use ports 1024 to portrange.last for outgoing connections (default 10000)
net.inet.ip.portrange.randomcps="999" # use random port allocation if less than this many ports per second are allocated (default 10)
net.inet.ip.random_id="1"            # assign a random IP id to each packet leaving the system (default 0)
net.inet.ip.redirect="0"             # do not send IP redirects (default 1)
net.inet.tcp.always_keepalive="0"    # disable tcp keep alive detection for dead peers, keepalive can be spoofed (default 1)
net.inet.tcp.blackhole="2"           # drop tcp packets destined for closed ports (default 0)
net.inet.tcp.drop_synfin="1"         # SYN/FIN packets get dropped on initial connection (default 0)
net.inet.tcp.ecn.enable="0"          # Explicit Congestion Notification disabled unless proper active queue manageme
net.inet.tcp.fast_finwait2_recycle="1" # recycle FIN/WAIT states quickly, helps against DoS, but may cause false RST
net.inet.tcp.finwait2_timeout="5000" # TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close (default 60000, 60 sec)
net.inet.tcp.icmp_may_rst="0"        # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.keepinit="5000"         # establish connection in five(5) seconds or abort attempt (default 75000, 75 secs)
net.inet.tcp.msl="2500"              # Maximum Segment Lifetime, time the connection spends in TIME_WAIT state (default 30000, 2*MSL = 60 sec)
net.inet.tcp.nolocaltimewait="1"     # remove TIME_WAIT states for the loopback interface (default 0)
net.inet.tcp.path_mtu_discovery="0"  # disable MTU discovery since many hosts drop ICMP type 3 packets (default 1)
net.inet.tcp.rexmit_slop="70"        # reduce the TCP retransmit timer, min+slop=100ms (default 200ms)
net.inet.udp.blackhole="1"           # drop udp packets destined for closed sockets (default 0)
security.bsd.hardlink_check_gid="1"  # unprivileged processes may not create hard links to files owned by other groups (default 0)
security.bsd.hardlink_check_uid="1"  # unprivileged processes may not create hard links to files owned by other users (default 0)
security.bsd.see_other_gids="0"      # groups only see their own processes. root can see all (default 1)
security.bsd.see_other_uids="0"      # users only see their own processes. root can see all (default 1)
security.bsd.stack_guard_page="1"    # stack smashing protection (SSP), ProPolice, defence against buffer overflows
security.bsd.unprivileged_proc_debug="0" # unprivileged processes may not use process debugging (default 1)
security.bsd.unprivileged_read_msgbuf="0" # unprivileged processes may not read the kernel message buffer (default 1)

你能帮助我理解为什么我无法通过暴力破解来阻止请求，因此看到它们被阻止了吗doas pfctl -t bruteforce -T show？

提前致谢。

我想使用本地终端的命令来备份 openwrt，这很简单，但我的问题在于，当我尝试将备份恢复到本地电脑时，就会出现问题。这是我目前所拥有的，第一部分没问题：

#!/bin/bash

ssh [email protected] sysupgrade --create-backup /tmp/main_backup.tar.gz 

使用该命令，我创建了我的路由器的备份，并且我想将该备份 scp 到我的本地电脑。

当我从 Linux RHEL 8 连接到远程 macOS Sonoma 时ssh -J user@portal user@mac，连接后我运行vim somefile，在退出 Vim 后，我在“页面”的左上角以及 shell 提示符下得到了一些多余的字符：

[>4;m

^{注意：我无法正确捕获这些字节，我不知道该怎么做}

这不是我第一次遇到这个问题，使用不同的本地/远程操作系统组合（Solaris/FreeBSD/AIX/Linux/macOS），但以前我只需要terminfo在远程 NIX 上安装软件包即可解决这个问题。

不过，在 macOS Sonoma 上，RHEL 8 使用的 terminfoxterm-256color已经在 中/usr/share/terminfo/78/xterm-256color，更改TERM为xterm没有帮助。

对于如何修复该问题您有什么想法吗？

过去，每当我尝试ssh连接到服务器而不指定密码时ssh，我都会尝试所有密钥ssh-agent，如果密钥太多，我的 IP 地址可能会因连接失败次数过多而被禁止。

行为似乎已经改变，即使列表中有一个有效键，ssh-agent我也必须将其包含在命令中，例如ssh -i ~/.ssh/alternate-key user@host。

这是由于某些配置设置的改变或可执行文件本身行为的改变造成的ssh。

我对用户仍然可以通过 ssh 访问其帐户已过期的 Linux 机器（Ubuntu 18.04.6 LTS）这一事实感到有些惊讶。

我使用以下命令设置帐户到期日期chage：

sudo chage -l xxxx
Last password change                    : Oct 10, 2024
Password expires                    : never
Password inactive                   : never
Account expires                     : Nov 05, 2024
Minimum number of days between password change      : 0
Maximum number of days between password change      : 99999
Number of days of warning before password expires   : 7

该帐户于 2024-11-05 到期，但用户仍然可以通过 ssh 访问该帐户。

sshd 服务器或 PAM 中是否有任何配置来强制帐户过期？

据我所知，sshdUsePAM yes和 PAM 应该可以阻止登录，但它唯一做的就是 Your account has expired; please contact your system administrator在 ssh 横幅中打印。

如果我这样做，我会得到相同的结果sudo su xxxx，我确实得到了一个Your account has expired; please contact your system administrator，但无论如何我都会得到 shell 提示符。

目前，我的 git 存储库上有两个远程服务器，一个在我在家时指向 git，另一个在我外出时指向 git-ext。我想简化这一点。下面的 ssh 配置适用于 git 和 git-ext（请注意，match 语句已被注释掉）。如果我取消注释 match 块，据我所知，git 块的行为没有变化。当我在家时，它可以工作，当我外出时，它就不起作用了。

无论我使用 exec 还是 !exec，都没有关系。似乎没有任何变化。我不确定发生了什么，但我不得不说 exec 实际上没有运行。任何帮助都将不胜感激。

这是从 Windows WSL2、Debian 11、OpenSSH_8.4p1 运行的，虽然我也在运行 Debian 12 的 Linux 笔记本电脑上尝试过，结果相同。

host git
  hostname 192.168.1.10
  user git
  identityfile ~/.ssh/id_rsa_git

#match host git !exec "/usr/bin/ping -c1 192.168.1.1"
#  proxyjump  bastion

host example.com
  hostname example.com
  user user
  identityfile ~/.ssh/id_rsa_cloud

host bastion
  hostname 192.168.1.5
  user jump
  identityfile ~/.ssh/id_rsa_bastion
  proxyjump  example.com

host git-ext
  hostname 192.168.1.10
  user git
  identityfile ~/.ssh/id_rsa_git
  proxyjump  bastion

我的nitramfs环境中有一个正在运行的dropbear-initramfs服务器，但我无法让它显示横幅。以下内容工作正常：/etc/dropbear/initramfs/dropbear.conf

...
DROPBEAR_OPTIONS="-I 60 -p 22 -j -k -s -c cryptroot-unlock"
...

但是，指定 banner-file 会导致 dropbear 无法启动，即使/etc/banner&/etc/dropbear/initramfs/banner文件存在且已填充（我甚至尝试打开+x位）

...
DROPBEAR_OPTIONS="-I 60 -p 22 -j -k -s -b /etc/banner -c cryptroot-unlock"
...

使用 更新 initramfsupdate-initramfs -u并检查lsinitramfs /initrd.img | grep banner显示没有横幅文件。重新启动导致 dropbear 无法启动，端口保持关闭状态。我已经验证了这一单一更改是导致 dropbear 无法启动的原因。

我正在运行带有dropbear-initramfs/stable 的Debian 12 ，现在版本是 2022.83-1+deb12u2 。在我之前的 Arch 安装中，只需将其包含在DROPBEAR_OPTIONS中就足以用横幅文件填充 initrd。我是否遗漏了什么？-b /etc/banner