操作系统

当前位置:金沙棋牌 > 操作系统 > 错误排查思路,ssh能够连接而sftp不能连接的解决

错误排查思路,ssh能够连接而sftp不能连接的解决

来源:http://www.logblo.com 作者:金沙棋牌 时间:2019-09-08 09:50

ssh能够连接而sftp不能连接的解决方法

原创Couldn't read packet: Connection reset by peer 错误排查思路(推荐),couldnpacket

作为一个运维 不是你懂多少知识才是你的价值 你有幸能遇到多少错误才是你的最大的价值

知识 你有我有大家有  错误我有你没有 这便是我的价值

我遇到一个错误 蛮难遇到的一个错误 所以想分享给大家 

下面我在模拟机演示给大家 用 root权限 避免你们说是因为权限的错误

2017年9月5日 我在切换sftp时候遇到一个错误(端口号是22 说写端口号的闭嘴)

金沙棋牌 1

[[email protected] ssh]# sftp -oPort=22 [email protected]

Connecting to 10.0.0.31...

The authenticity of host '10.0.0.31 (10.0.0.31)' can't be established.

RSA key fingerprint is 25:4d:a6:65:1b:77:85:41:f0:18:07:c8:e0:12:c9:9b.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '10.0.0.31' (RSA) to the list of known hosts.

[email protected]'s password:

subsystem request failed on channel 0

Couldn't read packet: Connection reset by peer

 

我们来看看这个错误 

Couldn't read packet: Connection reset by peer

 无法读取数据包:通过对等项重置连接

这是一个很难遇到的错误

 

排查之路:

tail -f /var/log/messages

Sep  5 12:31:53 backup sshd[3131]: subsystem request for sftp failed, subsyst found

Sep  5 12:37:15 backup sshd[3136]: Accepted password for root from 10.0.0.31 9088 ssh2

Sep  5 12:37:15 backup sshd[3136]: subsystem request for sftp

Sep  5 12:37:15 backup sshd[3136]: subsystem request for sftp failed, subsyst found

 

 

[[email protected] ssh]# rpm -ql openssh-clients

/etc/ssh/ssh_金沙棋牌,config

/usr/bin/.ssh.hmac

/usr/bin/scp

/usr/bin/sftp

/usr/bin/slogin

/usr/bin/ssh

/usr/bin/ssh-add

/usr/bin/ssh-agent

/usr/bin/ssh-copy-id

 

[[email protected] ssh]# grep sftp /etc/ssh/sshd_config

Subsystem        sftp  /usr/libexec/openssh/sftp-server

[[email protected] ssh]# ll /usr/libexec/openssh/sftp-server

-rwxr-xr-x. 1 root root 67640 Mar 22 16:33 /usr/libexec/openssh/sftp-server

 

查看文档

 

 

If so, it's the cause of this error message. That's especially true if your sftp user is logging into a chrooted environment, where "/usr/lib" probably does not exist. My own sftp server is configured this way.

 

However, SSHD has the sftp functionality built-in and does not need to execute an external "helper" program like that. So, if you have a line like the above, it can be fixed by changing it to:

如果是,这是错误消息的原因。尤其是,如果您的sftp用户登录到一个chrooted环境,其中“/ usr /lib”可能不存在。我自己的sftp服务器是这样配置的。

 

但是,sshd具有内置的sftp功能,不需要执行像这样的外部“助手”程序。因此,如果您有类似上述的行,可以通过将其更改为:

 

 

 错误解决逻辑图

金沙棋牌 2

 

read packet: Connection reset by peer 错误排查思路(推荐),couldnpacket 作为一个运维 不是你懂多少知识才是你的价值 你有幸能遇到多少...

Linux下采用OpenSSH实现SFTP上传操作。将所有SFTP用户组的用户都锁定在指定目录下,禁止SSH登录,可以提高安全性。

redhat linux6.5升级openssh,linux6.5openssh

1.下载最新的openssh包

金沙棋牌 3

金沙棋牌 4

金沙棋牌 5

 

2.升级openssh之前要先打开服务器telnet,通过telnet登录服务器,因为升级过程中会导致ssh暂时不能用

打开linux telnet服务:

查看telnet是否已经安装:

rpm -qa|grep telnet

telnet-0.17-48.el6.x86_64

telnet-server-0.17-48.el6.x86_64

 

如果没有安装,通过yum安装

[[email protected] ~]# yum install telnet

[[email protected] ~]# yum install telnet-server

 

启动telnet服务:

编辑telnet文件,将disable改成no

[[email protected] xinetd.d]# vi /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses

#       unencrypted username/password pairs for authentication.

service telnet

{

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure  = USERID

        disable         = no

}

 

 

重启xinetd服务:

service xinetd restart

or:

/etc/rc.d/init.d/xinetd restart

 

通过telnet连接服务器:

[c:~]$ telnet 192.168.5.5

 

 

Connecting to 192.168.5.5:23...

Connection established.

To escape to local shell, press 'Ctrl Alt ]'.

Red Hat Enterprise Linux Server release 6.8 (Santiago)

Kernel 2.6.32-642.el6.x86_64 on an x86_64

login: test

Password:

[[email protected] ~]$

由于默认telnet只能连接普通用户,所以需要登录普通用户之后跳转到root用户

 

3.备份原openssh相关文件:

cp /usr/sbin/sshd /usr/sbin/sshd.bak

cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp /etc/ssh/moduli /etc/ssh/moduli.bak

 

Note:删除掉下面三个文件,否则安装的时候会报错:

/etc/ssh/ssh_config already exists, install will not overwrite

/etc/ssh/sshd_config already exists, install will not overwrite

/etc/ssh/moduli already exists, install will not overwrite

 

rm /etc/ssh/ssh_config -fr

rm /etc/ssh/sshd_config -fr

rm /etc/ssh/moduli -fr

 

yum install pam-devel

yum install zlib-devel

yum install openssl-devel

 

 

4.解压并安装openssh

[[email protected] softs]# tar -zxvf openssh-7.4p1.tar.gz

[[email protected] softs]# ls

openssh-7.4p1  openssh-7.4p1.tar.gz  openssh-7.4p1-vs-openbsd.diff.gz

[[email protected] softs]# cd openssh-7.4p1

[[email protected] openssh-7.4p1]#./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man

### configure: error: *** zlib.h missing – please install first or check config.log

#yum install zlib-devel

###configure: error: *** Can’t find recent OpenSSL libcrypto (see config.log for details) ***

#yum install openssl openssl-devel

 

重新编译:

重新编译前要先清理之前的编译信息:

make clean

ldconfig

[[email protected] openssh-7.4p1]#  ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man

OpenSSH has been configured with the following options:

                     User binaries: /usr/bin

                   System binaries: /usr/sbin

               Configuration files: /etc/ssh

                   Askpass program: /usr/libexec/ssh-askpass

                      Manual pages: /usr/share/man/manX

                          PID file: /var/run

  Privilege separation chroot path: /var/empty

            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin

                    Manpage format: doc

                       PAM support: no

                   OSF SIA support: no

                 KerberosV support: no

                   SELinux support: no

                 Smartcard support:

                     S/KEY support: no

              MD5 password support: no

                   libedit support: no

  Solaris process contract support: no

           Solaris project support: no

         Solaris privilege support: no

       IP address in $DISPLAY hack: no

           Translate v4 in v6 hack: yes

                  BSD Auth support: no

              Random number source: OpenSSL internal ONLY

             Privsep sandbox style: rlimit

 

              Host: x86_64-pc-linux-gnu

          Compiler: gcc

    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE

Preprocessor flags:

      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie

         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv

 

make && make install

/etc/init.d/sshd restart

 

5.覆盖旧的文件

cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd

chmod u x /etc/init.d/sshd

chkconfig --add sshd

cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

[[email protected] openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

cp: overwrite `/usr/sbin/sshd'? y

cp: cannot create regular file `/usr/sbin/sshd': Text file busy

文件正在被使用

[[email protected] openssh-7.4p1]# ps -ef|grep sshd

root     14111     1  0 10:05 ?        00:00:00 sshd: [email protected]/0

root     14865     1  0 10:22 ?        00:00:00 sshd: [email protected]

root     24182 14779  0 10:30 pts/1    00:00:00 grep sshd

[[email protected] openssh-7.4p1]# kill -9 14865

[[email protected] openssh-7.4p1]# ps -ef|grep sshd

root     24227 14779  0 10:31 pts/1    00:00:00 grep sshd

 

重新覆盖:

cp /usr/local/openssh/bin/ssh /usr/bin/ssh

 

[[email protected] openssh-7.4p1]# service sshd restart

Stopping sshd:                                             [  OK  ]

ssh-keygen: illegal option -- A

usage: ssh-keygen [options]

Options:

 

cat /etc/init.d/sshd

start()

{

# Create keys if necessary

/usr/bin/ssh-keygen -A

if [ -x /sbin/restorecon ]; then

/sbin/restorecon /etc/ssh/ssh_host_key.pub

/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub

fi

 

echo -n $"Starting $prog:"

$SSHD $OPTIONS && success || failure

RETVAL=$?

[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd

echo

}

 

*因为默认低版本的ssh-keygen没有-A参数***

解决方法:

cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

 

 

重启sshd服务:

[[email protected] ssh]# service sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication

/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials

 

原因:新版本的openssh不支持以上参数,需要修改sshd的配置文件

 

[[email protected] openssh-7.4p1]# vi /etc/ssh/sshd_config

##去掉前面的注释,允许root通过ssh登录

PermitRootLogin yes

 

##注释掉下面三个参数

#GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

#UsePAM yes

 

 

##在文件末尾加上如下信息,否则还是无法通过ssh登录linux:

导致此问题的原因是ssh升级后,为了安全,默认不再采用原来一些加密算法,我们手工添加进去即可。

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,[email protected]

 

 

6.重启sshd服务,测试ssh连接服务器

service sshd restart

[c:~]$ ssh 192.168.5.5

 

Connecting to 192.168.5.5:22...

Connection established.

To escape to local shell, press 'Ctrl Alt ]'.

 

Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2

[[email protected] ~]# ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

7.禁用telnet**
**

[[email protected] ~]# vi /etc/xinetd.d/telnet

 

# default: on

# description: The telnet server serves telnet sessions; it uses

#       unencrypted username/password pairs for authentication.

service telnet

{

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure  = USERID

        disable         = yes

}

 

停掉xinetd服务:

[[email protected] ~]# service xinetd stop

Stopping xinetd:                                           [  OK  ]

停掉开机自启动:

[[email protected] ~]# chkconfig --list xinetd

xinetd                 0:off        1:off        2:off        3:on        4:on        5:on        6:off

[[email protected] ~]# chkconfig  xinetd off

[[email protected] ~]# chkconfig --list xinetd

xinetd                 0:off        1:off        2:off        3:off        4:off        5:off        6:off

 

 


 

 升级后问题解决:

通过winscp登录linux报错,解决方法如下:

[[email protected] ~]# vi /etc/ssh/sshd_config

 

# override default of no subsystems

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

Subsystem       sftp    internal-sftp

将原来的注释掉,改成下面的internal-sftp

 

重启sshd服务:

service sshd restart

 

linux6.5升级openssh,linux6.5openssh 1.下载最新的openssh包 2.升级openssh之前要先打开服务器telnet,通过telnet登...

 

文中要用到的openssl-1.0.0.tar.gz与openssh-5.4p1.tar.gz在Linux公社(LinuxIDC.com) 1 号FTP服务器

昨天开始用FileZilla一直不能登录远程的服务器,ssh的登录就OK,因为是服务器,也不敢乱动。查了好多资料终于解决了。 首先,查看一下系统的安全日志   www.2cto.com  

在2011年LinuxIDC.com1月Linux下利用OpenSSH建立SFTP服务器

 

下载方法见

[[email protected] sbin]# cat /var/log/secure | grep sftp

  1. OpenSSL安装,版本要高于0.9.6,CentOS 5.4默认可以不用安装。

 

下载openssl-1.0.0.tar.gz

显示的信息如下:

# tar zxvf openssl-1.0.0.tar.gz
# cd openssl-1.0.0
# ./config
# make
# make install

 

  1. OpenSSH安装,版本要高于4.8sp1
    # rpm -q openssh
    openssh-4.3p2-36.el5
    说明: centos5.4上需要安装openssh软件包,openssl版本高于0.9.6不需要安装

Nov 15 12:43:30 localhost sshd[22938]: error: subsystem: cannot stat /usr/libexec/openssh/sftp-

下载openssh-5.4p1.tar.gz

server: No such file or directory

# tar zxvf openssh-5.4p1.tar.gz
# cd openssh-5.4p1
# ./configure --with-ssl-dir=/usr/local/ssl #openssl的安装位置
# make
# make install

Nov 15 12:43:30 localhost sshd[22938]: subsystem request for sftp failed, subsystem not found

  1. 配置
    (1) 修改sshd启动脚本
    # vi /etc/init.d/sshd
    SSHD=/usr/sbin/sshd
    改为
    SSHD=/usr/local/sbin/sshd

Nov 15 13:18:01 localhost sshd[25093]: subsystem request for sftp

(2) 修改sshd配置文件,tar包安装的配置文件位置在/usr/local/etc/sshd_config
# cd /usr/local/etc
# cp sshd_config sshd_config.bak
# cp /etc/ssh/sshd_config /usr/local/etc/

可以看出是没有sftp-server的目录没有找到

# vi sshd_config
# override default of no subsystems
# Subsystem sftp /usr/local/libexec/sftp-server

 

Subsystem sftp internal-sftp
Match group sftp #组名,单个用户可以Match user 用户名
X11Forwarding no
ChrootDirectory /data/htdocs/ #指定实际目录
AllowTcpForwarding no
ForceCommand internal-sftp(3) 修改目录权限
# chown root.sftp /data/htdocs
# groupadd sftp
# useradd -d /data/htdocs -s /bin/false -g sftp koumm
# passwd koumm

[[email protected] sbin]# locate sftp-server

说明: 目录属主一定要用root,否则无法登录。其它用户可以加入sftp组中,并且可以在/data/htdocs目录中创建可写文件夹实现文件上传。

/usr/local/libexec/libexec/openssh/sftp-server

(4) 重启sshd服务
# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /usr/local/etc/sshd_config line 74: Unsupported option GSSAPIAuthentication
/usr/local/etc/sshd_config line 76: Unsupported option GSSAPICleanupCredentials
/usr/local/etc/sshd_config line 87: Unsupported option UsePAM
[ OK ]
解决错误提示:
# vi /usr/local/etc/sshd_config
注释掉74,76,87行
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#UsePAM yes

locate一下ftp-server,发现目录跟配置文件中的不同

# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

 

 

[[email protected] sbin]# vi /etc/ssh/sshd_config

文中要用到的openssl-1.0.0...

 

修改如下配置文件最后易行的sftp的目录

# override default of no subsystems

Subsystem       sftp    /usr/local/libexec/libexec/openssh/sftp-server

reload一下sshd

 

[[email protected] sbin]# /etc/init.d/sshd reload

再试一下,OK了。

 

昨天开始用FileZilla一直不能登录远程的服务器,ssh的登录就OK,因为是服务器,也不敢乱动。查了好多...

本文由金沙棋牌发布于操作系统,转载请注明出处:错误排查思路,ssh能够连接而sftp不能连接的解决

关键词:

上一篇:删除文件及文件夹金沙棋牌,修改文件名

下一篇:没有了