关于如何设置的有用文章和答案不胜枚举~/.ssh/config(例如,这篇就很不错),但没有一篇提到如果私钥也受密码保护该怎么办。
关于 SSH 我知道以下命令有效:
ssh -i id_rsa <username>@<ip>
当然:
- 远程服务器必须正在运行
- 请求密钥的密码,如果有效,则 SSH 连接将顺利进行
id_rsa
到这里一切都还好
我想知道是否可以在不尝试连接远程服务器的情况下测试密码。例如:
- 如果服务器因维护而关闭,则需要验证密码是否正确
请记住:如果服务器关闭,则无法执行该ssh -i id_rsa <username>@<ip>命令。
如果可能的话:
问题
- 如何验证密钥的密码但不尝试 ssh 连接?
因此类似于:
<command-requested> id_rsa
Write passphrase: <once written>
Passphrase is correct
我想使用 mktemp 在远程机器上创建一个临时文件夹,然后将远程机器上的某些文件移动到该目录。
我尝试了以下操作:
ssh "$target" "mv $HOME/scripts/* $(mktemp -d -t scripts.XXXXXX)"
但是远程机器报错,提示没有创建这样的文件。有什么解决办法吗?
我有一台小型服务器,运行的是最新的 Ubuntu LTS 版本。我用它运行一些负载比较大的代码。最近几次我注意到,如果某个任务占用了大量资源(但不是最大值,接近 70% 的 RAM/CPU),它就不允许我以启动该任务的用户身份登录。它会卡住大约 15 秒,然后超时。不过,它允许我以其他用户身份正常登录。据我所知,我没有针对用户设置任何特定的资源管理限制。我对如何解决这个问题感到有些困惑,所以任何建议都将非常有帮助。
说到底,我其实不太在意它会阻止用户登录,因为如果我需要以该用户身份登录,我随时可以终止占用资源的进程。我更好奇的是为什么会发生这种情况。
背景
我正在通过 SystemD 设置基于 SSH 服务的 rsync 备份。由于本地 SElinux 的问题,此操作最终无法运行;以下是可复现的最小示例:
[Unit]
Description=Rsync backup service
[Service]
Type=oneshot
User=myuser
ExecStart=/usr/bin/ssh -vvv 192.168.1.10 "ls -lah"
如果我setenforce 0在启动服务之前一切正常,我就能得到请求的目录列表。但如果 SElinux 正在强制执行,我就会收到来自 SystemD 的错误:
Starting backup.service - Rsync backup service...
backup.service: Main process exited, code=exited, status=203/EXEC
backup.service: Failed with result 'exit-code'.
Failed to start backup.service - Rsync backup service
同样,如果我通过带有 rsync 的 SystemD 运行,我会看到子进程以 -13 终止:
rsync: [sender] Failed to exec /usr/bin/ssh: Permission denied (13)
我已检查过的内容
无论 SElinux 的强制状态如何,从终端运行时所有命令都会按预期工作。
我正在以我的用户身份运行(
ExecStart=/usr/bin/whoami):whoami[726624]: myuser我可以访问 ssh 二进制文件(
ExecStart=/usr/bin/which ssh):which[727067]: /usr/bin/ssh我可以访问我的用户
.ssh目录(由于显而易见的原因,不发布该目录的日志)。根据这篇SO 帖子,SElinux 可以阻止非标准端口。我只允许使用标准端口(rsync 会使用其他端口吗?),但这应该没问题,因为基本测试用例没有使用其他端口:
# semanage port -l | grep ssh ssh_port_t tcp 22
问题
尽管使用标准端口并且对所涉及的文件拥有完全权限,什么原因会导致 SElinux 仅阻止来自 SystemD 的 SSH 尝试?
编辑1
明确检查拒绝消息:
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR
...
type=AVC msg=audit(1743626691.891:17160): avc: denied { execute } for pid=728337 comm="(ssh)" name="ssh" dev="dm-0" ino=3077371 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=0
# journalctl -t setroubleshoot
-- No entries --
# dmesg | grep -i -e type=1300 -e type=1400
#
我承认,我的 SElinux 不太好,我不太确定该怎么办。我翻阅了文档,但有时……文档……真的……冗长。
我遵循Altera 的指南在 DE1-SoC 板上运行 Linux,特别是第 5.3 节 - 安装驱动程序。
指南中提供的说明适用于 Windows 主机,而我使用的是 Linux 主机(我目前没有任何可供永久使用的 Windows 主机)。我按照说明操作,但无法通过 ssh 进入设备,我已经竭尽全力尝试排除故障。
$ uname -r
5.15.0-124-generic
为了在主机启动时、通过 USB 连接主板之前形成基线:
$ ls -al /lib/modules/"$(uname -r)"/kernel/drivers/usb/serial/usbserial.ko
-rw-r--r-- 1 root root 116161 Sep 27 2024 /lib/modules/5.15.0-124-generic/kernel/drivers/usb/serial/usbserial.ko
$ ls -al /lib/modules/"$(uname -r)"/kernel/drivers/usb/serial/cp210x.ko
-rw-r--r-- 1 root root 79865 Sep 27 2024 /lib/modules/5.15.0-124-generic/kernel/drivers/usb/serial/cp210x.ko
$ lsmod | grep cp210x
$ sudo modprobe usbserial
$ sudo modprobe cp210x
$ lsmod | grep cp210x
cp210x 40960 0
usbserial 57344 1 cp210x
这意味着我已经成功加载驱动程序。
$ dmesg | grep -i usb
...
[ 30.186227] usb 2-3: current rate 16000 is different from the runtime rate 48000
[ 124.301044] usbcore: registered new interface driver usbserial_generic
[ 124.301067] usbserial: USB Serial support registered for generic
[ 128.825043] usbcore: registered new interface driver cp210x
[ 128.825069] usbserial: USB Serial support registered for cp210x
对应于上方的负载。
$ dmesg | grep -i tty
[ 0.006788] ACPI: SSDT 0x0000000074487000 002357 (v02 ALASKA TbtTypeC 00000000 INTL 20200717)
[ 0.117362] printk: console [tty0] enabled
[ 0.401844] 00:01: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
$ lsusb
...
$ ls /dev/tty*
...
$ lsusb调出一堆设备并$ ls /dev/tty*列出一堆终端。当然,电路板没有显示出来,因为它已断开连接,因为我目前正在形成基线。
我现在连接电路板并打开它。
$ dmesg | grep -i usb
...
[ 128.825069] usbserial: USB Serial support registered for cp210x
[ 244.712211] usb 1-1: new high-speed USB device number 5 using xhci_hcd
[ 244.860515] usb 1-1: New USB device found, idVendor=09fb, idProduct=6810, bcdDevice= 0.01
[ 244.860527] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
idVendor 和 idProduct 被正确识别。
$ dmesg | grep -i tty[ 0.006788] ACPI: SSDT 0x0000000074487000 002357 (v02 ALASKA TbtTypeC 00000000 INTL 20200717)
[ 0.117362] printk: console [tty0] enabled
[ 0.401844] 00:01: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
什么都没改变。
$ lsusb
...
Bus 001 Device 005: ID 09fb:6810 Altera
此行已添加。
$ ls /dev/tty*
显示完全相同的列表 - 没有任何改变。
如上所述,我没有主意了。我将不胜感激任何帮助,这样我就可以 ssh 到主板并开始在 ARM 核心和 FPGA 之间进行通信。
我知道这是一个热门话题,但我找不到适合我的问题的解决方案。在我的电脑上,我使用带有 OpenWrt 固件的 scp 和 ssh,通常我使用 Debian 或 linux mint 没有任何问题,但我进行了全新安装,现在我的固件配置备份出现了问题。这是我使用 2 年来没有任何问题的方法。
# openwrt_backup
# Create tar_main
ssh [email protected] sysupgrade -b /tmp/backup-main-$(date +%F).tar.gz
# Copy to local dir
scp -O [email protected]:/tmp/backup-*.tar.gz james@ninja:/run/media/james/E/openWrt_backup/
现在的问题是,在执行第二条命令之后,将备份传输到我的本地电脑,什么也没有发生:
james@ninja:~> scp -O [email protected]:/tmp/backup-*.tar.gz james@ninja:/run/media/james/E/openWrt_backup/
james@ninja:~> # empty answer??
有想法吗?谢谢
每次我尝试运行时sudo rsnapshot -v alpha都会出现这种类型的错误(我拥有的每个备份条目都会出现错误):
ERROR: /usr/bin/rsync returned 255 while processing [email protected]:/etc/
/usr/bin/rsync -a --delete --numeric-ids --relative --delete-excluded \
--rsh=/usr/bin/ssh -i /home/user/ssh/id_ed25519 \
[email protected]:/usr/share/ \
/var/cache/rsnapshot/alpha.0/server_backup/
- 是的,服务器和本机都安装了rsync
- 是的,如果我尝试使用这些 root 凭据从远程手动复制一些文件,rsync 就可以正常工作
- 有一件事可能是它。当我尝试运行 errored out 命令时,它要求在 的参数周围加上引号
rsh。否则它会抛出语法错误。但我不确定如何强制 rsnapshot 执行此操作。如果我在 rsh 键周围加上引号来运行 errored out 命令,它也会以 255 代码出错。 - 防火墙没有阻止 ssh。
- 服务器仅允许公钥认证
- 我在 Vultr 上托管我的 ubuntu 服务器
这是我的rsnapshot.conf文件
#################################################
# rsnapshot.conf - rsnapshot configuration file #
#################################################
# #
# PLEASE BE AWARE OF THE FOLLOWING RULE: #
# #
# This file requires tabs between elements #
# #
#################################################
#######################
# CONFIG FILE VERSION #
#######################
config_version 1.2
###########################
# SNAPSHOT ROOT DIRECTORY #
###########################
# All snapshots will be stored under this root directory.
#
snapshot_root /var/cache/rsnapshot/
# If no_create_root is enabled, rsnapshot will not automatically create the
# snapshot_root directory. This is particularly useful if you are backing
# up to removable media, such as a FireWire or USB drive.
#
#no_create_root 1
#################################
# EXTERNAL PROGRAM DEPENDENCIES #
#################################
# LINUX USERS: Be sure to uncomment "cmd_cp". This gives you extra features.
# EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
#
# See the README file or the man page for more details.
#
cmd_cp /bin/cp
# uncomment this to use the rm program instead of the built-in perl routine.
#
cmd_rm /bin/rm
# rsync must be enabled for anything to work. This is the only command that
# must be enabled.
#
cmd_rsync /usr/bin/rsync
# Uncomment this to enable remote ssh backups over rsync.
#
cmd_ssh /usr/bin/ssh
# Comment this out to disable syslog support.
#
cmd_logger /usr/bin/logger
# Uncomment this to specify the path to "du" for disk usage checks.
# If you have an older version of "du", you may also want to check the
# "du_args" parameter below.
#
#cmd_du /usr/bin/du
# Uncomment this to specify the path to rsnapshot-diff.
#
#cmd_rsnapshot_diff /usr/bin/rsnapshot-diff
# Specify the path to a script (and any optional arguments) to run right
# before rsnapshot syncs files
#
#cmd_preexec /path/to/preexec/script
# Specify the path to a script (and any optional arguments) to run right
# after rsnapshot syncs files
#
#cmd_postexec /path/to/postexec/script
# Paths to lvcreate, lvremove, mount and umount commands, for use with
# Linux LVMs.
#
#linux_lvm_cmd_lvcreate /sbin/lvcreate
#linux_lvm_cmd_lvremove /sbin/lvremove
#linux_lvm_cmd_mount /bin/mount
#linux_lvm_cmd_umount /bin/umount
#########################################
# BACKUP LEVELS / INTERVALS #
# Must be unique and in ascending order #
# e.g. alpha, beta, gamma, etc. #
#########################################
retain alpha 6
retain beta 7
retain gamma 4
#retain delta 3
############################################
# GLOBAL OPTIONS #
# All are optional, with sensible defaults #
############################################
# Verbose level, 1 through 5.
# 1 Quiet Print fatal errors only
# 2 Default Print errors and warnings only
# 3 Verbose Show equivalent shell commands being executed
# 4 Extra Verbose Show extra verbose information
# 5 Debug mode Everything
#
verbose 2
# Same as "verbose" above, but controls the amount of data sent to the
# logfile, if one is being used. The default is 3.
# If you want the rsync output, you have to set it to 4
#
loglevel 3
# If you enable this, data will be written to the file you specify. The
# amount of data written is controlled by the "loglevel" parameter.
#
logfile /var/log/rsnapshot.log
# If enabled, rsnapshot will write a lockfile to prevent two instances
# from running simultaneously (and messing up the snapshot_root).
# If you enable this, make sure the lockfile directory is not world
# writable. Otherwise anyone can prevent the program from running.
#
lockfile /var/run/rsnapshot.pid
# By default, rsnapshot check lockfile, check if PID is running
# and if not, consider lockfile as stale, then start
# Enabling this stop rsnapshot if PID in lockfile is not running
#
#stop_on_stale_lockfile 0
# Default rsync args. All rsync commands have at least these options set.
#
#rsync_short_args -a
#rsync_long_args --delete --numeric-ids --relative --delete-excluded
# ssh has no args passed by default, but you can specify some here.
#
ssh_args -i /home/user/ssh/id_ed25519
# Default arguments for the "du" program (for disk space reporting).
# The GNU version of "du" is preferred. See the man page for more details.
# If your version of "du" doesn't support the -h flag, try -k flag instead.
#
#du_args -csh
# If this is enabled, rsync won't span filesystem partitions within a
# backup point. This essentially passes the -x option to rsync.
# The default is 0 (off).
#
#one_fs 0
# The include and exclude parameters, if enabled, simply get passed directly
# to rsync. If you have multiple include/exclude patterns, put each one on a
# separate line. Please look up the --include and --exclude options in the
# rsync man page for more details on how to specify file name patterns.
#
#include ???
#include ???
#exclude ???
#exclude ???
# The include_file and exclude_file parameters, if enabled, simply get
# passed directly to rsync. Please look up the --include-from and
# --exclude-from options in the rsync man page for more details.
#
#include_file /path/to/include/file
#exclude_file /path/to/exclude/file
# If your version of rsync supports --link-dest, consider enabling this.
# This is the best way to support special files (FIFOs, etc) cross-platform.
# The default is 0 (off).
#
#link_dest 0
# When sync_first is enabled, it changes the default behaviour of rsnapshot.
# Normally, when rsnapshot is called with its lowest interval
# (i.e.: "rsnapshot alpha"), it will sync files AND rotate the lowest
# intervals. With sync_first enabled, "rsnapshot sync" handles the file sync,
# and all interval calls simply rotate files. See the man page for more
# details. The default is 0 (off).
#
#sync_first 0
# If enabled, rsnapshot will move the oldest directory for each interval
# to [interval_name].delete, then it will remove the lockfile and delete
# that directory just before it exits. The default is 0 (off).
#
#use_lazy_deletes 0
# Number of rsync re-tries. If you experience any network problems or
# network card issues that tend to cause ssh to fail with errors like
# "Corrupted MAC on input", for example, set this to a non-zero value
# to have the rsync operation re-tried.
#
#rsync_numtries 0
# LVM parameters. Used to backup with creating lvm snapshot before backup
# and removing it after. This should ensure consistency of data in some special
# cases
#
# LVM snapshot(s) size (lvcreate --size option).
#
#linux_lvm_snapshotsize 100M
# Name to be used when creating the LVM logical volume snapshot(s).
#
#linux_lvm_snapshotname rsnapshot
# Path to the LVM Volume Groups.
#
#linux_lvm_vgpath /dev
# Mount point to use to temporarily mount the snapshot(s).
#
#linux_lvm_mountpath /path/to/mount/lvm/snapshot/during/backup
###############################
### BACKUP POINTS / SCRIPTS ###
###############################
# REMOTE SERVER
backup [email protected]:/home/ server_backup/
backup [email protected]:/etc/ server_backup/
#backup_script /usr/local/bin/backup_pgsql.sh localhost/postgres/
# You must set linux_lvm_* parameters below before using lvm snapshots
#backup lvm://vg0/xen-home/ lvm-vg0/xen-home/
# EXAMPLE.COM
#backup_exec /bin/date "+ backup of example.com started at %c"
#backup [email protected]:/home/ example.com/ +rsync_long_args=--bwlimit=16,exclude=core
#backup [email protected]:/etc/ example.com/ exclude=mtab,exclude=core
#backup_exec ssh [email protected] "mysqldump -A > /var/db/dump/mysql.sql"
#backup [email protected]:/var/db/dump/ example.com/
#backup_exec /bin/date "+ backup of example.com ended at %c"
# CVS.SOURCEFORGE.NET
#backup_script /usr/local/bin/backup_rsnapshot_cvsroot.sh rsnapshot.cvs.sourceforge.net/
# RSYNC.SAMBA.ORG
#backup rsync://rsync.samba.org/r syncftp/ rsync.samba.org/rsyncftp/
我的 sshd 日志如下所示:
2025-01-21T16:47:06.445342+00:00 server sshd[2069]: Connection from 99.11.11.11 port 57908 on 151.131.222.222 port 22 rdomain ""
2025-01-21T16:47:06.445890+00:00 server sshd[2069]: debug1: Local version string SSH-2.0-OpenSSH_9.7p1 Ubuntu-7ubuntu4
2025-01-21T16:47:06.446150+00:00 server sshd[2069]: debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
2025-01-21T16:47:06.446387+00:00 server sshd[2069]: debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 pat OpenSSH* compat 0x04000000
2025-01-21T16:47:06.448025+00:00 server sshd[2069]: debug1: permanently_set_uid: 109/65534 [preauth]
2025-01-21T16:47:06.448401+00:00 server sshd[2069]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2025-01-21T16:47:06.448865+00:00 server sshd[2069]: debug1: SSH2_MSG_KEXINIT sent [preauth]
2025-01-21T16:47:06.473088+00:00 server sshd[2069]: debug1: SSH2_MSG_KEXINIT received [preauth]
2025-01-21T16:47:06.473305+00:00 server sshd[2069]: debug1: kex: algorithm: curve25519-sha256 [preauth]
2025-01-21T16:47:06.473602+00:00 server sshd[2069]: debug1: kex: host key algorithm: ssh-ed25519 [preauth]
2025-01-21T16:47:06.473829+00:00 server sshd[2069]: debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
2025-01-21T16:47:06.474193+00:00 server sshd[2069]: debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
2025-01-21T16:47:06.474496+00:00 server sshd[2069]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
2025-01-21T16:47:06.502026+00:00 server sshd[2069]: debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
2025-01-21T16:47:06.509345+00:00 server sshd[2069]: debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 [preauth]
2025-01-21T16:47:06.509768+00:00 server sshd[2069]: debug1: rekey out after 134217728 blocks [preauth]
2025-01-21T16:47:06.510085+00:00 server sshd[2069]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
2025-01-21T16:47:06.510210+00:00 server sshd[2069]: debug1: Sending SSH2_MSG_EXT_INFO [preauth]
2025-01-21T16:47:06.510573+00:00 server sshd[2069]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
2025-01-21T16:47:06.543286+00:00 server sshd[2069]: debug1: ssh_packet_read_poll2: resetting read seqnr 3 [preauth]
2025-01-21T16:47:06.543606+00:00 server sshd[2069]: debug1: SSH2_MSG_NEWKEYS received [preauth]
2025-01-21T16:47:06.543946+00:00 server sshd[2069]: debug1: rekey in after 134217728 blocks [preauth]
2025-01-21T16:47:06.544260+00:00 server sshd[2069]: debug1: KEX done [preauth]
2025-01-21T16:47:06.636933+00:00 server sshd[2069]: debug1: userauth-request for user root service ssh-connection method none [preauth]
2025-01-21T16:47:06.637064+00:00 server sshd[2069]: debug1: attempt 0 failures 0 [preauth]
2025-01-21T16:47:06.638069+00:00 server sshd[2069]: debug1: PAM: initializing for "root"
2025-01-21T16:47:06.641531+00:00 server sshd[2069]: debug1: PAM: setting PAM_RHOST to "99.11.11.11"
2025-01-21T16:47:06.642045+00:00 server sshd[2069]: debug1: PAM: setting PAM_TTY to "ssh"
2025-01-21T16:47:06.664190+00:00 server sshd[2069]: Connection closed by authenticating user root 99.11.11.11 port 57908 [preauth]
2025-01-21T16:47:06.665162+00:00 server sshd[2069]: debug1: do_cleanup [preauth]
2025-01-21T16:47:06.666011+00:00 server sshd[2069]: debug1: monitor_read_log: child log fd closed
2025-01-21T16:47:06.666354+00:00 server sshd[2069]: debug1: do_cleanup
2025-01-21T16:47:06.666609+00:00 server sshd[2069]: debug1: PAM: cleanup
2025-01-21T16:47:06.667644+00:00 server sshd[2069]: debug1: Killing privsep child 2070
2025-01-21T16:47:06.668031+00:00 server sshd[2069]: debug1: audit_event: unhandled event 12
我的 iptables 规则如下:
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere mdns.mcast.net udp dpt:mdns
ACCEPT udp -- anywhere 239.200.200.200 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* 'dapp_OpenSSH' */
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere dns.google udp dpt:domain
ACCEPT tcp -- anywhere dns.google tcp dpt:domain
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
我的 sshd_config 文件:
PermitRootLogin yes
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# Include /etc/ssh/sshd_config.d/*.conf
# When systemd socket activation is used (the default), the socket
# configuration must be re-generated after changing Port, AddressFamily, or
# ListenAddress.
#
# For changes to take effect, run:
#
# systemctl daemon-reload
# systemctl restart ssh.socket
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
LogLevel DEBUG
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
感谢您的关注,希望有人能帮助我解决这个问题。我在这个问题上花了一整天的时间。
如果您认为我可以使用其他工具进行备份,请告诉我。我是系统管理新手,因此非常感激任何帮助!
我正在尝试备份我的项目、数据库和 nginx 环境。为此,我从主服务器进行备份并将其放在 /home/backup/ 中。主服务器上一切正常。
然后,从我的第二台服务器,我创建一个 cron 来通过 SCP 获取该文件。
这是我的命令:
0 13 * * * sudo sshpass -p MyPassword sudo scp -P 40511 -r [email protected]:/home/backup /home
我使用端口 40511 作为 SSH。如果手动启动,该命令可以工作,但使用 cron 则不行。
MyPassword 包含“!”。我尝试过带和不带双引号的情况。
我做错什么了?
当我向 Google 询问 ssh 代理转发如何工作时,它给我提供了许多 SEO 优化垃圾链接,解释了如何配置 ssh-agent。这不是我问的。
我目前遇到一个问题,在 VPN 连接远端的屏幕会话中启动的作业会失败,因为在 VPN 发生故障后它们无法通过 ssh 连接。
通常这些作业依赖于来自源客户端的代理转发来进行连接。我怀疑这里出了什么问题,但更好地了解整个代理转发会有所帮助。
当我从 host0 连接到 hosta 时,host0 上的 ssh-agent 会将我的私钥提供给 host0 上的 ssh 客户端。在 hosta 上,我看到 SSH_AUTH_SOCK 已填充,引用本地套接字。如果我在 hosta 上 ssh hostb,ssh 客户端会以某种方式连接到 host0 上的 ssh-agent。大概是使用 host0-hosta ssh 连接中的备用通道。
hosta 上的 $SSH_AUTH_SOCK 发生了什么?
(fuser $SSH_AUTH_SOCK 表明没有任何东西打开)
就我的屏幕会话而言,如果启动屏幕会话的 ssh 会话已结束,并且我从 host0 到 hosta 启动新的 ssh 会话,那么来自屏幕会话的密钥请求是否会通过新连接发送?