SSH连接调试:逐行解读SSH -vvv的输出信息
引言
SSH是我们在远程连接服务器时经常使用的协议。ssh -vvv命令能提供大量的调试信息,帮助我们理解SSH连接过程中到底发生了什么。但是,这些信息常常让人感到困惑。在这篇博文中,我们将一步一步地解读ssh -vvv输出的日志信息。
示例信息:
ssh -vvv user@10.0.0.1
OpenSSH_8.2p1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for 'final all' host 10.0.0.1 originally 10.0.0.1
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 10.0.0.1 is address
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for 'final all' host 10.0.0.1 originally 10.0.0.1
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug2: ssh_connect_direct
debug1: Connecting to 10.0.0.1 [10.0.0.1] port 22. 逐行解读
1. SSH和OpenSSL版本
OpenSSH_8.2p1, OpenSSL 1.1.1f 31 Mar 2020
这一行告诉我们SSH客户端使用的是OpenSSH的8.2p1版本,以及使用的OpenSSL版本为1.1.1f。
2. 读取配置文件
debug1: Reading configuration data /etc/ssh/ssh_config
SSH客户端开始读取/etc/ssh/ssh_config这个配置文件。
3. 包含其他配置文件
debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
这行表示在ssh_config文件的第51行,包含了另一个配置文件/etc/ssh/ssh_config.d/05-redhat.conf。
4. 检查主机匹配
debug2: checking match for 'final all' host 10.76.77.100 originally 10.76.77.100 debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final' debug2: match not found
这几行在检查主机匹配规则。这里没有找到匹配的规则。
5. 读取加密策略
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
这里开始读取/etc/crypto-policies/back-ends/openssh.config,这通常是用来定义系统级别的加密策略。
6.Generic Security Service Application Program Interface
debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
GSSAPI(Generic Security Service Application Program Interface)是一个用于各种安全服务的API,包括身份验证和加密。SSH可以通过GSSAPI来进行身份验证。
KEX(Key EXchange,密钥交换)密钥交换是SSH连接设置过程中的一个重要步骤。在这个阶段,客户端和服务器会协商并生成一个共享密钥,用于之后的加密通信。
7. 密钥交换算法
debug3: kex names ok: [curve25519-sha256@libssh.org,...,diffie-hellman-group1-sha1]
显示客户端支持哪些密钥交换算法。
8. 实际连接
debug2: ssh_connect_direct debug1: Connecting to 10.76.77.100 [10.76.77.100] port 22.
这里实际开始尝试连接到服务器10.76.77.100的22端口。
总结
使用ssh -vvv调试SSH连接不仅可以让我们了解SSH连接的内部机制,还能在排查问题时提供有价值的信息。希望通过本文的逐行解读,你能更好地理解SSH连接中的各个环节。
这样的信息对于了解SSH的连接机制和故障排查都是非常有用的。希望这篇文章能让你更好地理解SSH连接背后的细节。
