As the question is, today I encountered the problem that SSD cannot be connected to a server on my intranet.
Ping the server to successfully ping the server.
It's okay to log on to the Intranet server.
However, there is a problem with using local SSH to log on to the server.
The Troubleshooting logic will naturally fall into the ssh-related settings of the server.
1. Check whether the sshd server is started. If it is started properly, exclude
2. Check the configuration in/etc/PAM. d/sshd and comment out the previously restricted login user configuration. The problem persists.
3. Check the configuration in/etc/sudoers to check whether user login such as root is restricted. If no user login is restricted, exclude
4. Check/etc/ssh/ssh_config. The # allowusers [email protected] Test statement is obviously problematic. resolve the problem after commenting.
Appendix: sshd_config configuration details
Sshd_config restricts access from an IP address
In Linux, the/etc/hosts. deny file can be configured to restrict access to IP addresses and other information. It is similar to order deny and allow in Apache, but it is written differently. Only access from 192.168.1.1 is allowed. Write as follows:
sshd: ALL EXCEPT 192.168.1.1
Similarly, you can configure hosts. Allow under/etc.
Sshd_config
Sshd_config is the configuration file of the OpenSSH Ssh ssh server daemon. By default, sshd reads configuration information from/etc/ssh/sshd_config (you can also use the-F command line option to specify the configuration file:/etc/init. d/sshd-f filename start.
The sshd_config configuration file is composed of "command value" pairs, with one row. Empty rows and rows starting with '#' are ignored. If the value contains blank characters or other special characters, you can define it by adding double quotation marks (") on both sides. [Note] the value is case-sensitive, but the command is case-insensitive.
The following configuration commands are available:
Acceptenv
Specifies which environment variables sent by the client will be passed to the session environment. [Note] Only SSH-2 protocols support the transfer of environment variables. For details, refer to the sendenv configuration command in ssh_config (5. The command value is a list of variable names separated by spaces (which can be '*' and '? 'As a wildcard ). You can also use multiple acceptenv to achieve the same purpose. Note that some environment variables may be used to bypass environment variables that are not allowed by users. For this reason, this command should be used with caution. By default, no environment variables are passed.
Addressfamily
Specifies the address family that sshd (8) should use. Valid values: "any" (default), "Inet" (IPv4 only), and "inet6" (IPv6 only ).
Allowgroups
This command is followed by a list of group names separated by spaces ("*" and "?" can be used here "?" Wildcard ). All groups are allowed to log on by default. If this command is used, only members in these groups are allowed to log on, and all other groups are rejected. The "group" here refers to the "Primary Group", that is, the group specified in the/etc/passwd file. Only group names are allowed, but GID is not allowed. The related allow/deny commands are processed in the following order: denyusers, allowusers, denygroups, and allowgroups.
Allowtcpforwarding
Whether to allow TCP forwarding. The default value is "yes ". Disabling TCP forwarding does not enhance security unless you are forbidden from accessing the shell because you can install your own forwarder.
Allowusers
This command is followed by a list of usernames separated by spaces ("*" and "?" can be used here "?" Wildcard ). All users are allowed to log on by default. If this command is used, only these users are allowed to log on, and all other users are denied. If the [email protected] mode is specified, the user and host will be checked at the same time. Only user names are allowed, but uid is not allowed. The related allow/deny commands are processed in the following order: denyusers, allowusers, denygroups, and allowgroups.
Authorizedkeysfile
The RSA/DSA public key that the user can log on. In this command, the following symbols can be expanded based on the actual connection conditions: % indicates '%', % H indicates the user's main directory, and % u indicates the user name. After expansion, the value must be either an absolute path or a relative path relative to the user's main directory. The default value is ". Ssh/authorized_keys ".
Banner
The content in the file specified by this command is displayed to the remote user before the user authenticates. This feature is only available for SSH-2, and by default nothing is displayed ." None indicates that this feature is disabled.
Challengeresponseauthentication
Whether to allow challenge-response authentication. The default value is "yes ". All authentication methods allowed in login. conf (5) are supported.
Ciphers
Specifies the encryption algorithm that the SSH-2 allows to use. Multiple algorithms are separated by commas. The algorithms that can be used are as follows: "aes128-cbc", "aes192-cbc", "aes256-cbc", "aes128-ctr", "aes192-ctr", "3des-cbc", "arcfour128 ″, arcfour256, arcfour, blowfish-CBC, cast128-cbc ". The default value is that all the above algorithms can be used.
Clientalivecountmax
The maximum number of "alive" messages that sshd (8) can send before receiving any client response. The default value is 3. When the upper limit is reached, sshd (8) will force disconnect and close the session. Note that the "alive" message is very different from the tcpkeepalive message. Alive "messages are sent through encrypted connections, so they are not spoofed. However, tcpkeepalive messages can be spoofed. If the clientaliveinterval is set to 15 and the clientalivecountmax is kept as the default value, the client that does not respond will be forcibly disconnected after 45 seconds. This directive can only be used for SSH-2 protocols.
Clientaliveinterval
Set a time in seconds. If no data is received from the client after such a long time, sshd (8) will send an "alive" message to the client through a secure channel, wait for a response. The default value 0 indicates that the "alive" message is not sent. This option is only valid for the SSH-2
Compression
Whether to encrypt the communication data or wait until the authentication succeeds before encrypting the communication data. Available values: "Yes", "delayed" (default), and "no ".
Denygroups
This command is followed by a list of group names separated by spaces ("*" and "?" can be used here "?" Wildcard ). All groups are allowed to log on by default. If this command is used, the Members in these groups are denied logon. The "group" here refers to the "Primary Group", that is, the group specified in the/etc/passwd file. Only group names are allowed, but GID is not allowed. The related allow/deny commands are processed in the following order: denyusers, allowusers, denygroups, and allowgroups.
Denyusers
This command is followed by a list of usernames separated by spaces ("*" and "?" can be used here "?" Wildcard ). All users are allowed to log on by default. If this command is used, these users are denied logon. If the [email protected] mode is specified, the user and host will be checked at the same time. Only user names are allowed, but uid is not allowed. The related allow/deny commands are processed in the following order: denyusers, allowusers, denygroups, and allowgroups.
Forcecommand
Execute the commands specified here and ignore any commands provided by the client. This command will be executed using the user's login shell (shell-C ). This can be applied to the completion of shell, command, and subsystem, and is usually used in the match block. This command was initially supported on the client through the ssh_original_command environment variable.
Gatewayports
Whether to allow the remote host to connect to the local forwarding port. The default value is "no ". By default, sshd (8) binds the remote port forwarding to the loopback address. This will prevent other remote hosts from connecting to the forwarding port. The gatewayports command allows sshd to bind the remote port forwarding to a non-loopback address. This allows remote host connection. "No" indicates that only local connections are allowed. "Yes" indicates that the remote port forwarding is forcibly bound to the wildcard address ), "clientspecified" indicates the IP address to which the remote port is forwarded.
Gssapiauthentication
Whether gssapi-based user authentication is allowed. The default value is "no ". For SSH-2 only.
Gssapicleanupcredentials
Whether to automatically destroy the user credential cache after the user logs out. The default value is "yes ". For SSH-2 only.
Hostbasedauthentication
This command is similar to RhostsRSAAuthentication, but can only be used for SSH-2. The default value "no" is recommended ". We recommend that you use the default value "no" to disable this insecure authentication method.
Hostbasedusesnamefrompacketonly
When hostbasedauthentication is enabled ~ /. Shosts ~ /. Rhosts/etc/hosts. equiv indicates whether to perform Reverse Domain name query when remote host name matching is performed ." Yes indicates that sshd (8) trusts the host name provided by the client without reverse query. The default value is "no ".
Hostkey
The location of the host private key file. If the permission is incorrect, sshd (8) may refuse to start. SSH-1 default is/etc/ssh/ssh_host_key. The default SSH-2 is/etc/ssh/ssh_host_rsa_key and/etc/ssh/ssh_host_dsa_key. A host can have multiple private keys ." Rsa1 "is for SSH-1 only," DSA "and" RSA "is for SSH-2 only.
IgnoreRhosts
Whether to ignore the. rhosts and. shosts files during RhostsRSAAuthentication or hostbasedauthentication. However,/etc/hosts. equiv and/etc/shosts. equiv will still be used. We recommend that you set the default value to "yes ".
Ignoreuserknownhosts
Whether to ignore the user's ~ during RhostsRSAAuthentication or hostbasedauthentication ~ /. Ssh/known_hosts file. The default value is "no ". To improve security, you can set it to "yes ".
Kerberosauthentication
Whether the password provided by the user for passwordauthentication must pass Kerberos KDC authentication, that is, whether to use Kerberos authentication. To use Kerberos authentication, the server needs a Kerberos servtab that can verify the KDC identity. The default value is "no ".
Kerberosgetafstoken
If AFS is used and the user has a Kerberos 5 TGT, after this command is enabled, an AFS token will be obtained before accessing the user's home directory. The default value is "no ".
Kerberosorlocalpasswd
If Kerberos Password Authentication fails, the password will also pass other authentication mechanisms (such as/etc/passwd ). The default value is yes ".
Restore osticketcleanup
Whether to automatically destroy the user's ticket after the user logs out. The default value is "yes ".
Keyregenerationinterval
Under the SSH-1 protocol, the short-lived server key will be continuously regenerated based on the time (in seconds) set in this directive. This mechanism can minimize the loss caused by key loss or hacker attacks. If it is set to 0, the system will never be regenerated. The default value is 3600 (seconds ).
Listenaddress
Specify the network address of the sshd (8) listener. All addresses are listened to by default. You can use the following format:
Listenaddress host | listen 4_addr | listen 6_addr
Listenaddress host | listen 4_addr: Port
Listenaddress [host | ipv6_addr]: Port
If no port is specified, the PORT command value is used. You can use multiple listenaddress commands to listen to multiple addresses.
Logingracetime
The user must be authenticated successfully within the specified time limit. 0 indicates no limit. The default value is 120 seconds.
Loglevel
Specify the log level (details) of sshd (8 ). Available values: Quiet, fatal, error, Info (default), verbose, debug, debug1, debug2, debug3 debug and debug1 are equivalent; debug2 and debug3 specify more detailed and more detailed log output respectively. Logs that are more detailed than debug may leak user sensitive information, so they are opposed to use.
Macs
Specifies which message digest algorithms are allowed in the SSH-2 for data validation. You can use a comma-separated list to specify multiple algorithms. The default value (containing all the algorithms that can be used) is: hmac-md5, hmac-sha1, [email protected], hmac-ripemd160, hmac-sha1-96, hmac-md5-96.
Match
Introduce a condition block. The end of a block is another match command or the end of a file. If all the conditions specified on the match row are met, the subsequent commands will overwrite the commands in the global configuration. The value of match is one or more "condition-mode" pairs. The available "conditions" are: user, group, host, and address. Only the following commands can be used in the match block: Accept, banner, forcecommand, gatewayports, transport, allow, deny, passwordauthentication, permitopen, permitrootlogin, allow, rsaauthentication, x11displayoffset, x11forwarding, and deny.
Maxauthtries
Specifies the maximum number of authentications allowed for each connection. The default value is 6. If the number of failed authentication attempts exceeds half of this value, the connection is forcibly disconnected and an additional Failure Log message is generated.
Maxstartups
Maximum number of unauthenticated connections allowed. The default value is 10. When the limit is reached, new connections will not be accepted unless the previous connection authentication is successful or exceeds the limit of logingracetime.
Passwordauthentication
Whether password-based authentication is allowed. The default value is "yes ".
Permitemptypasswords
Whether to allow users with blank passwords to log on remotely. The default value is "no"
Permitopen
Specifies the destination allowed for TCP port forwarding. Multiple forwarding targets can be separated by spaces. All forwarding requests are allowed by default. The valid command format is as follows:
Permitopen HOST: Port
Permitopen ipv4_addr: Port
Permitopen [ipv6_addr]: Port
"Any" can be used to remove all restrictions and allow all forwarding requests.
Permitrootlogin
Whether to allow root logon. The available values are as follows:
"Yes" (default) indicates yes ." No.
"Without-Password" indicates password authentication is prohibited.
"Forced-commands-only" indicates that logon with public key authentication is allowed only when the command option is specified.
All other authentication methods are forbidden. This value is often used for remote backup and other things.
Permittunnel
Whether to allow Tun (4) device forwarding. The available values are as follows:
"Yes", "point-to-point" (Layer 3), "Ethernet" (Layer 2), and "no" (default ).
"Yes" also contains "point-to-point" and "Ethernet ".
Permituserenvironment
Specify whether sshd (8) processing is allowed ~ /. Ssh/environment and ~ Environment = option in/. Ssh/authorized_keys. The default value is "no ". If it is set to "yes", users may have the opportunity to use some mechanisms (such as ld_preload) to bypass access control, resulting in security vulnerabilities.
Pidfile
Specifies the file in which the SSH daemon process number is stored. The default value is the/var/run/sshd. PID file.
Port
Specifies the port number listened by the sshd (8) daemon. The default value is 22. You can use multiple commands to listen to multiple ports. By default, listeners are listened on all network interfaces of the Local Machine. However, you can use listenaddress to specify to only listen on a specific interface.
Printlastlog
Specify whether sshd (8) prints the logon time of the last user during each interactive logon. The default value is "yes ".
Printmotd
Specify whether sshd (8) prints the content of the/etc/motd file at each interactive login. The default value is "yes ".
Protocol
Specifies the version number of the SSH protocol supported by sshd (8. '1' and '2' indicate that only SSH-1 and SSH-2 protocols are supported ." 2, 1 "indicates that both SSH-1 and SSH-2 protocols are supported.
Pubkeyauthentication
Whether public key authentication is allowed. Can only be used for SSH-2. The default value is yes ".
RhostsRSAAuthentication
Whether to use strong trusted host authentication (by checking the remote host name and associated user name for authentication ). For SSH-1 only. This is done after successful RSA Authentication ~ /. Rhosts or/etc/hosts. equiv for authentication. For security reasons, we recommend that you use the default value "no ".
Rsaauthentication
Whether to allow pure RSA public key authentication. For SSH-1 only. The default value is "yes ".
Serverkeybits
Specify the length of the temporary server key. For SSH-1 only. The default value is 768 (BITs ). Minimum value: 512.
Strictmodes
Specify whether to require sshd (8) to check the host and permissions of the user's home directory and related configuration files before accepting the connection request. We strongly recommend that you use the default value "yes" to prevent possible low-level errors.
Subsystem
Configure an external subsystem (for example, a file transfer Daemon ). Only for SSH-2 protocols. The value is the name of a sub-system and the corresponding command line (including options and parameters ). For example, "SFT/bin/SFTP-server ".
Syslogfacility
Specify the log subsystem in which sshd (8) sends the log message. Valid values: daemon, user, auth (default), local0, local1, local2, local3, local4, local5, local6, local.
Tcpkeepalive
Specifies whether the system sends TCP keepalive messages to the client. The default value is "yes ". This type of message can detect exceptions such as dead connections, improperly closed connections, and client crashes. You can set "no" to disable this feature.
Usedns
Specify whether sshd (8) should reverse resolve the remote host name to check whether the host name actually corresponds to its IP address. The default value is yes ".
UseLogin
Whether to use login (1) During interactive session login ). The default value is "no ". If this command is enabled, x11forwarding will be disabled because login (1) does not know how to handle Xauth (1) cookies. Note that login (1) is forbidden for remote command execution.
Useprivilegeseparation
Whether to allow sshd (8) to separate permissions by creating a non-privileged sub-process to process access requests. The default value is "yes ". After successful authentication, another sub-process will be created as the authenticated user. The purpose of this operation is to prevent unauthorized sub-processes from improving the permissions and thereby making the system more secure.
X11displayoffset
Specify the first available display area (Display) number forwarded by sshd (8) X11. The default value is 10. This can be used to prevent sshd from occupying the real X11 server display area and thus causing confusion.
X11forwarding
Whether to allow X11 forwarding. The default value is "no", and "yes" indicates yes. If X11 forwarding is allowed and the display area of the sshd (8) proxy is configured to listen on an address (x11uselocalhost) containing wildcards. It may expose additional information. The default value of this command is "no" because of the possible risks caused by X11 forwarding ". It should be noted that disabling X11 forwarding does not prohibit users from forwarding X11 communications, because users can install their own referer. If UseLogin is enabled, X11 forwarding is automatically disabled.
X11uselocalhost
Should sshd (8) bind the X11 forwarding server to the local loopback address. The default value is "yes ". By default, sshd binds the forwarding server to the local loopback address and sets the Host Name of the display environment variable to "localhost ". This prevents remote hosts from connecting to proxy display. However, some old X11 clients cannot work properly under this configuration. To be compatible with these old X11 clients, you can set it to "no ".
Xauthlocation
Specify the absolute path of the Xauth (1) program. The default value is/usr/x11r6/bin/Xauth.
Solution to SSH connection failure