Fedora: conexão SSH recusada

2

Estou tentando conectar meu host ubuntu a um laptop fedora via ssh para poder compartilhar arquivos via ethernet. Eu tenho o servidor openssh iniciado no fedora (via service sshd start ) e já executei o comando iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT para permitir conexões ssh de entrada. Além disso, o endereço IPv4 no servidor é definido por ifconfig enp2s0f0 192.168.10.10 netmask 255.255.255.0 up . Mas sempre que digito ssh -A -Y 192.168.10.10 ou ssh -4 192.168.10.10 ; Eu recebo sempre uma mensagem de erro mostrando "ssh: connect to host 192.168.10.10 porta 22: Conexão recusada", mesmo depois de ter o firewall desativado usando service iptables stop .

iptables -n -L -v output no fedora mostra:

Chain INPUT (policy ACCEPT 11652 packets, 2859K bytes) pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 11759 packets, 1665K bytes) pkts bytes target prot opt in out source destination

iptables -n -L -v output no ubuntu mostra:

Chain INPUT (policy ACCEPT 210K packets, 16M bytes) pkts bytes target prot opt source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt source destination

Chain OUTPUT (policy ACCEPT 209K packets, 15M bytes) pkts bytes target prot opt source destination

service sshd status me dá:

Redirecting to /bin/systemctl status  sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2016-09-26 23:54:59 CET; 2min 49s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 9465 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 9474 (sshd)
   CGroup: /system.slice/sshd.service
           └─9474 /usr/sbin/sshd

Sep 26 23:54:59 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
Sep 26 23:54:59 localhost.localdomain systemd[1]: sshd.service: PID file /var/run/sshd.pid not readable (yet?) after start: No such file or directory
Sep 26 23:54:59 localhost.localdomain sshd[9474]: Server listening on 0.0.0.0 port 22.
Sep 26 23:54:59 localhost.localdomain sshd[9474]: Server listening on :: port 22.
Sep 26 23:54:59 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
Hint: Some lines were ellipsized, use -l to show in full.

a saída de ss --tcp --listening -n -p é:

State      Recv-Q Send-Q                              Local Address:Port                                             Peer Address:Port              
LISTEN     0      5                                   192.168.122.1:53                                                          *:*                   users:(("dnsmasq",pid=1260,fd=6))
LISTEN     0      128                                             *:22                                                          *:*                   users:(("sshd",pid=9474,fd=3))
LISTEN     0      5                                       127.0.0.1:631                                                         *:*                   users:(("cupsd",pid=2021,fd=12))
LISTEN     0      128                                            :::22                                                         :::*                   users:(("sshd",pid=9474,fd=4))
LISTEN     0      5                                             ::1:631                                                        :::*                   users:(("cupsd",pid=2021,fd=11))
LISTEN     0      2                                ::ffff:127.0.0.1:33311                                                      :::*                   users:(("java",pid=3312,fd=16))

a saída do comando ps -ef|grep sshd mostra:

root      9474     1  0 Sep26 ?        00:00:00 /usr/sbin/sshd
root      9891  2624  0 00:11 pts/0    00:00:00 grep --color=auto sshd

este é o conteúdo de / etc / ssh / ssh_config:

#   $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

Os logs gerados (máquina fedora) depois de iniciar o sshd são:

Sep 26 21:56:16 localhost.localdomain polkitd[987]: Registered Authentication Agent for unix-process:5657:2312980 (system bus name :1.112 [/usr/bin/pk
Sep 26 21:56:16 localhost.localdomain systemd[1]: Started OpenSSH Server Key Generation.
Sep 26 21:56:16 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
Sep 26 21:56:16 localhost.localdomain sshd[5706]: Server listening on 0.0.0.0 port 22.
Sep 26 21:56:16 localhost.localdomain sshd[5706]: Server listening on :: port 22.
Sep 26 21:56:16 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
Sep 26 21:56:16 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ss
Sep 26 21:56:17 localhost.localdomain polkitd[987]: Unregistered Authentication Agent for unix-process:5657:2312980 (system bus name :1.112, object pa
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <warn>  (enp2s0f0): DHCPv4 request timed out.
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): DHCPv4 state changed unknown -> timeout
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): canceled DHCP transaction, DHCP client pid 5645
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): DHCPv4 state changed timeout -> done
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): device state change: ip-config -> failed (reason 'ip-config-unavailabl
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  NetworkManager state is now CONNECTED_LOCAL
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <warn>  (enp2s0f0): Activation: failed for connection 'Profile 1'
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): device state change: failed -> disconnected (reason 'none') [120 30 0]
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): device state change: failed -> disconnected (reason 'none') [120 30 0]
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  connectivity: check for uri 'http://fedoraproject.org/static/hotspot.txt' failed w
Sep 26 21:56:29 localhost.localdomain avahi-daemon[893]: Withdrawing address record for fe80::2289:84ff:fe77:4b2a on enp2s0f0.
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  Auto-activating connection 'Profile 1'.
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): Activation: starting connection 'Profile 1' (565f53a4-6355-4307-86f1-2
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): device state change: disconnected -> prepare (reason 'none') [30 40 0]
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  NetworkManager state is now CONNECTING
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): device state change: prepare -> config (reason 'none') [40 50 0]
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  (enp2s0f0): device state change: config -> ip-config (reason 'none') [50 70 0]
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  Activation (enp2s0f0) Beginning DHCPv4 transaction (timeout in 45 seconds)
Sep 26 21:56:29 localhost.localdomain NetworkManager[1002]: <info>  dhclient started with pid 5924
Sep 26 21:56:29 localhost.localdomain dhclient[5924]: DHCPREQUEST on enp2s0f0 to 255.255.255.255 port 67 (xid=0x9b66907b)
Sep 26 21:56:31 localhost.localdomain avahi-daemon[893]: Registering new address record for fe80::2289:84ff:fe77:4b2a on enp2s0f0.*.

ps -ef | grep sshd no fedora fornece a seguinte saída:

root      3471     1  0 17:46 ?        00:00:00 /usr/sbin/sshd
root      4164  3105  0 17:59 pts/0    00:00:00 grep --color=auto sshd

executando ip a dentro do servidor, fornece a seguinte saída:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 20:89:84:77:4b:2a brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.10/24 scope global enp2s0f0
       valid_lft forever preferred_lft forever
    inet6 fe80::2289:84ff:fe77:4b2a/64 scope link 
       valid_lft forever preferred_lft forever
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether bc:85:56:70:1b:57 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.103/24 brd 192.168.1.255 scope global dynamic wlp3s0
       valid_lft 84531sec preferred_lft 84531sec
    inet6 fe80::be85:56ff:fe70:1b57/64 scope link 
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:73:5a:6c brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:73:5a:6c brd ff:ff:ff:ff:ff:ff

executando route -n dentro do servidor, fornece a seguinte saída:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 enp2s0f0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

executando sudo route -n na máquina cliente do ubuntu, fornece a seguinte saída:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.10.1    0.0.0.0         UG    100    0        0 enp14s0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp14s0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp14s0

ip a na máquina do cliente:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp14s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 70:5a:b6:bf:fc:e6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.10/24 brd 192.168.10.255 scope global enp14s0
       valid_lft forever preferred_lft forever
    inet6 fe80::ff27:c6bb:9a72:6d2/64 scope link 
       valid_lft forever preferred_lft forever
3: wlp20s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 70:f1:a1:69:c4:24 brd ff:ff:ff:ff:ff:ff

ip r na máquina do cliente:

default via 192.168.10.1 dev enp14s0  proto static  metric 100 
169.254.0.0/16 dev enp14s0  scope link  metric 1000 
192.168.10.0/24 dev enp14s0  proto kernel  scope link  src 192.168.10.10  metric 100 

arping -I enp14s0 192.168.10.10 na máquina do cliente, ficou preso em:

ARPING 192.168.10.10 from 192.168.10.10 enp14s0

saída de sudo tcpdump -n -i any port 22 :

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
01:09:28.363302 IP 192.168.10.10.58906 > 192.168.10.10.22: Flags [S], seq 506055200, win 43690, options [mss 65495,sackOK,TS val 33913 ecr 0,nop,wscale 7], length 0
01:09:28.363357 IP 192.168.10.10.58906 > 192.168.10.10.22: Flags [R.], seq 0, ack 506055201, win 0, length 0
01:09:28.354895 IP 192.168.10.10.58906 > 192.168.10.10.22: Flags [S], seq 2349767060, win 43690, options [mss 65495,sackOK,TS val 34911 ecr 0,nop,wscale 7], length 0
01:09:28.354948 IP 192.168.10.10.22 > 192.168.10.10.58908: Flags [R.], seq 0, ack 2349767061, win 0, length 0

Alguém tem alguma ideia?

Sua ajuda será muito apreciada.

    
por Kais 26.09.2016 / 00:46

3 respostas

3

Estou assumindo que você deseja se conectar à interface enp2s0f0 do servidor (todas as outras interfaces (exceto loopback) são DOWN ).

Nos logs, você pode ver que as solicitações DHCP nessa interface estão expirando. A partir da saída de ip a , você pode ver que a interface possui apenas um endereço local de link IPv6.

Você deve corrigir o DHCP ou atribuir manualmente um endereço IPv4 à interface ( ip addr add x.x.x.x/24 dev enp2s0f0 ). Como alternativa, você pode usar o IPv6.

EDIT: Mais perguntas:

  • As duas máquinas estão conectadas diretamente?
  • Você pode nos contar mais sobre o cliente? O que ip a , ip r e iptables-save output no cliente?
  • O que iptables-save produz no servidor? Note que iptables -vnL não imprime todas as regras.
  • Você pode fazer ping no servidor a partir do cliente? (por exemplo, ping 192.168.10.10 )
  • Você pode fazer o ping do servidor a partir do cliente? (por exemplo, arping -I eth0 192.168.10.10 ) você recebe uma resposta? é o endereço MAC na resposta correta? (deve ser 20:89:84:77:4b:2a ).
  • Se você executar o tcpdump no servidor ( tcpdump -n -i any port 22 ) e tentar o ssh-ing no que tcpdump produz?

EDIT 2: Seu cliente e servidor devem ter endereços IP diferentes. Faça o cliente 192.168.10.9 e o servidor 192.168.10.10.

    
por 15.10.2016 / 01:23
1

Acho que sua regra nunca é alcançada por causa da regra REJECT (pouco antes), que é aplicada a todos os pacotes que não correspondem às regras anteriores.

O que acontece se você usar:

iptables -I INPUT 1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

(isto é, insira a regra no início da tabela)

Editar: mais algumas sugestões

  • Verifique se o sshd está realmente escutando:

    ss --tcp --listening -n -p
    
  • Adicione a opção -v ao mostrar o iptables (isso adiciona uma contagem de pacotes para cada regra, para que você possa ver qual deles é usado)

  • experimente o IPv4 e o IPv6 (com -4 e -6 opções para o comando ssh )

por 26.09.2016 / 14:27
1

Acho que você está tentando se conectar ao IP errado.

No comando ss, você vê algo como 'Local Address' 192.168.122.1, mas tenta se conectar ao IP 192.168.10.10.

Você poderia nos fornecer a configuração de rede do servidor? Seria suficiente se você colar toda a saída da execução de ip a no servidor.

    
por 13.10.2016 / 07:47

Tags