某局点有两台S12510F作为SSH Server,其中SW01可以通过Linux跳板直接SSH登陆,而SW02 SSH登陆失败。通过跳板SSH登陆两台S12510-F时,SW01提示输入密码,正常输入密码后可登录到设备;登录SW02交换机时,则直接断开了连接
[sdl@CactiEZ ~]$ ssh 201.141.84.29
sdl@201.141.84.29's password:
[sdl@CactiEZ ~]$ ssh 201.141.84.30
Connection closed by 201.141.84.30
[sdl@CactiEZ ~]$
1、了解SSH连接的五个阶段
在整个通讯过程中,为实现 SSH的安全连接,服务器端与客户端要经历如下五个阶段:
* 版本号协商阶段,SSH目前包括 SSH1和SSH2两个版本, 双方通过版本协商确定使用的版本
* 密钥和算法协商阶段,SSH支持多种加密算法, 双方根据本端和对端支持的算法,协商出最终使用的算法
* 认证阶段,SSH客户端向服务器端发起认证请求, 服务器端对客户端进行认证
* 会话请求阶段, 认证通过后,客户端向服务器端发送会话请求
* 交互会话阶段 ,会话请求通过后,服务器端和客户端进行信息的交互
大多数情况下SSH登陆失败原因集中在前两个阶段。关于各阶段的详细介绍,可以参见“SSH技术白皮书”。
2、打开debug ssh server all开关,明确SSH连接在哪个阶段发生异常
从故障现象看,没有输入密码的提示直接断开连接,表示还未进入认证阶段,即版本号协商阶段或密钥和算法协商阶段就出了问题。具体需要分析debug信息:
<S12510F>debugging ssh server all
<S12510F>t m
The current terminal is enabled to display logs.
<S12510F>t d
The current terminal is enabled to display debugging logs.
<S12510F>*Nov 17 16:42:18:741 2016 S12510F SSHS/7/MESSAGE: -MDC=1; Received packet type 94.
*Nov 17 16:42:24:381 2016 S12510F SSHS/7/EVENT: -MDC=1; Start new child 2313830.
*Nov 17 16:42:24:383 2016 S12510F SSHS/7/EVENT: -MDC=1; Connection from 201.138.220.134 port 48820
*Nov 17 16:42:24:385 2016 S12510F SSHS/7/EVENT: -MDC=1; Client protocol version 2.0, client software version OpenSSH_6.9
*Nov 17 16:42:24:385 2016 S12510F SSHS/7/EVENT: -MDC=1; Enabling compatibility mode for protocol 2.0
*Nov 17 16:42:24:386 2016 S12510F SSHS/7/EVENT: -MDC=1; Local version string SSH-1.99-Comware-7.1.045
*Nov 17 16:42:24:389 2016 S12510F SSHS/7/EVENT: -MDC=1; Hostkey string is : ecdsa-sha2-nistp256,ssh-dss,ssh-rsa
*Nov 17 16:42:24:390 2016 S12510F SSHS/7/MESSAGE: -MDC=1; Prepare packet[20].
*Nov 17 16:42:24:391 2016 S12510F SSHS/7/MESSAGE: -MDC=1; Received packet type 20.
*Nov 17 16:42:24:391 2016 S12510F SSHS/7/EVENT: -MDC=1; Received SSH2_MSG_KEXINIT.
*Nov 17 16:42:24:391 2016 S12510F SSHS/7/EVENT: -MDC=1; My proposal kex:
*Nov 17 16:42:24:391 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(0): diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
*Nov 17 16:42:24:391 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(1): ecdsa-sha2-nistp256,ssh-dss,ssh-rsa
*Nov 17 16:42:24:391 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(2): aes128-cbc,aes256-cbc,3des-cbc,des-cbc
*Nov 17 16:42:24:391 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(3): aes128-cbc,aes256-cbc,3des-cbc,des-cbc
*Nov 17 16:42:24:391 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(4): hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(5): hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(6): none,zlib,zlib@openssh.com
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(7): none,zlib,zlib@openssh.com
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(8):
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(9):
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Peer proposal kex:
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(0): curve25519-sha256@***.***,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(1): ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(2): chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
*Nov 17 16:42:24:392 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(3): chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
*Nov 17 16:42:24:393 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(4): umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
*Nov 17 16:42:24:393 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(5): umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
*Nov 17 16:42:24:393 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(6): none,zlib@openssh.com,zlib
*Nov 17 16:42:24:393 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(7): none,zlib@openssh.com,zlib
*Nov 17 16:42:24:393 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(8):
*Nov 17 16:42:24:393 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex strings(9):
*Nov 17 16:42:24:393 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex: client->server, Encrypt: aes128-cbc, HMAC: hmac-sha1, Compress: none
*Nov 17 16:42:24:393 2016 S12510F SSHS/7/EVENT: -MDC=1; Kex: server->client, Encrypt: aes128-cbc, HMAC: hmac-sha1, Compress: none
*Nov 17 16:42:24:394 2016 S12510F SSHS/7/MESSAGE: -MDC=1; Received packet type 34.
*Nov 17 16:42:24:394 2016 S12510F SSHS/7/EVENT: -MDC=1; Received SSH2_MSG_KEX_DH_GEX_REQUEST.
*Nov 17 16:42:24:394 2016 S12510F SSHS/7/MESSAGE: -MDC=1; Prepare packet[31].
*Nov 17 16:42:24:451 2016 S12510F SSHS/7/EVENT: -MDC=1; Expecting packet type 32.
*Nov 17 16:42:24:452 2016 S12510F SSHS/7/MESSAGE: -MDC=1; Received packet type 32.
*Nov 17 16:42:24:500 2016 S12510F SSHS/7/EVENT: -MDC=1; Get EC curve name failed: unsupported EC curve nid 409
*Nov 17 16:42:24:500 2016 S12510F SSHS/7/ERROR: -MDC=1; Failed to put null string to buffer.
debug信息很长,但我们只需要把握阶段性事件:
1)版本协商正常:Client protocol version 2.0, client software version OpenSSH_6.9,Enabling compatibility mode for protocol 2.0,Local version string SSH-1.99-Comware-7.1.045
客户端版本是2.0,服务器侧版本是1.99,SSH1.99为特殊的版本号,这个版本既可以与SSH2.0版本互通,又可以与SSH1.5版本互通,打印信息也可以看出Enabling compatibility mode for protocol 2.0。
2)算法协商:
*Nov 17 16:42:24:389 2016 S12510F SSHS/7/EVENT: -MDC=1; Hostkey string is : ecdsa-sha2-nistp256,ssh-dss,ssh-rsa
客户端支持的算法包括ecdsa-sha2-nistp256,ssh-dss,ssh-rsa。
*Nov 17 16:42:24:500 2016 S12510F SSHS/7/EVENT: -MDC=1; Get EC curve name failed: unsupported EC curve nid 409
*Nov 17 16:42:24:500 2016 S12510F SSHS/7/ERROR: -MDC=1; Failed to put null string to buffer.
从这几条信息看,SSH登陆失败原因为配置的ecdsa key与ssh支持的情况不匹配。
官网配置指导说明如下:
服务器端生成本地DSA、ECDSA或RSA密钥对,需要注意的是:
* SSH仅支持默认名称的本地DSA、ECDSA或RSA密钥对,不支持指定名称的本地DSA、ECDSA或RSA密钥对。关于密钥对生成命令的相关介绍请参见“安全命令参考”中的“公钥管理”。
* 生成DSA密钥对时,要求输入的密钥模数的长度必须小于2048比特。
* SSH服务器只支持secp256r1类型的ECDSA密钥对。
SSH服务器只支持secp256r1类型的ECDSA密钥对,但设备生成本地ECDSA密钥对时,密钥的长度为192比特。
补充:
SSH协议的算法协商过程为:
* 客户端和服务器端都将自己支持的算法列表发送给对方;
* 双方依次协商每一种算法(密钥交换算法、加密算法等)。每种算法的协商过程均为:从客户端的算法列表中取出第一个算法,在服务器端的列表中查找相应的算法,如果匹配上相同的算法,则该算法协商成功;否则继续从客户端算法列表中取出下一个算法,在服务器端的算法列表中匹配,直到匹配成功。如果客户端支持的算法全部匹配失败,则该算法协商失败。
* 某一种算法协商成功后,继续按照上述方法协商其他的算法,直到所有算法都协商成功;如果某一种算法协商失败,则客户端和服务器之间的算法协商失败,服务器断开与客户端的连接。
可以通过如下命令生成ecdsa256的算法:public-key local create ecdsa secp256r1
或者
destroy ecdsa公钥,不使用ecdsa算法:public-key local destroy ecdsa
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作