서버의 nftables가 SSH 로그인을 방지합니다(더 강력한 SSH 키 사용).

서버의 nftables가 SSH 로그인을 방지합니다(더 강력한 SSH 키 사용).

이 문제를 해결하도록 도와주세요.

내 생각에는nftablesServer-3에서 차단(Debian-10)SSH로그인합니다(macOS 클라이언트에서).

아래의 모든 정보와 관련된 추가 참고 사항: Ubuntu, Kali, Tails 등 배포판은 Debian GNU/Linux를 기반으로 합니다. 저는 Debian GNU/Linux 10 Buster를 사용하고 있습니다(세 개의 서버에는 Debian-10이 있고 두 개의 Debian-10 클라이언트/워크스테이션/노트북이 있습니다). 아래에 표시된 사용자 "erik"은 Debian의 일반 사용자 계정입니다. 나는 또한 macOS Sierra 10.12.6 MacBook을 사용하고 있으며 언급된 사용자 "macUsr"은 "admin"(일명 "관리자") 유형의 권한 있는 macOS 사용자 계정입니다.

Server-3 컴퓨터에서 nftables를 시작합니다.

root@SRVR3:~ # systemctl start nftables.service

실수/질문: macOS(SSH 클라이언트 컴퓨터) 터미널에 표시됩니다.nftables존재하다/활성화됨:

macOSbook:~ macUsr$ /usr/bin/ssh -vvv SRVR3_root_sshd
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/macUsr/.ssh/config
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 522: Applying options for SRVR3_root_sshd
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 755: Applying options for *
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug2: resolving "SRVR3.IPv4.ADRS" port 5022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to SRVR3.IPv4.ADRS [SRVR3.IPv4.ADRS] port 5022.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 17829 ms remain after connect
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3 type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_NT_eu-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10
debug1: match: OpenSSH_7.9p1 Debian-10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to SRVR3.IPv4.ADRS:5022 as 'root'
debug3: rekey after 104857600 bytes, 3600 seconds
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,ext-info-c
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: [email protected],zlib,none
debug2: compression stoc: [email protected],zlib,none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group18-sha512
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 4106/8192
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:BuDY...IfNg
debug3: verify_host_key_dns
debug1: skipped DNS lookup for numerical hostname
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug1: Host '[SRVR3.IPv4.ADRS]:5022' is known and matches the RSA host key.
debug1: Found key in /Users/macUsr/.ssh/known_hosts:11
debug2: bits set: 4175/8192
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 6553600 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 6553600 blocks
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_NT_eu (0x7fe9d8c1f8b0), explicit, agent
debug2: key:  (0x7fe9d8d01ac0), agent
debug2: key: [email protected] (0x7fe9d8d02690), agent
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr (0x7fe9d8d01410), explicit
debug2: key: /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr (0x7fe9d8d014d0), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
Authentication failed.

제가 보기에는 "ssh-userauth" 중에 오류가 발생하는 것 같습니다.인증 실패."발생하다.

Server-3 컴퓨터에서 (패킷 필터링) 방화벽을 끄십시오.

root@SRVR3:~ # systemctl stop nftables.service

이 코드는 macOS(SSH 클라이언트) 터미널에 표시됩니다.nftables떠나다/장애가 있는:

macOSbook:~ macUsr$ /usr/bin/ssh -vvv SRVR3_root_sshd
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/macUsr/.ssh/config
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 522: Applying options for SRVR3_root_sshd
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug1: /Users/macUsr/.ssh/config line 755: Applying options for *
debug3: kex names ok: [diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256]
debug2: resolving "SRVR3.IPv4.ADRS" port 5022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to SRVR3.IPv4.ADRS [SRVR3.IPv4.ADRS] port 5022.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 17830 ms remain after connect
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3 type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr-cert type -1
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10
debug1: match: OpenSSH_7.9p1 Debian-10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to SRVR3.IPv4.ADRS:5022 as 'root'
debug3: rekey after 104857600 bytes, 3600 seconds
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,ext-info-c
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: [email protected],zlib,none
debug2: compression stoc: [email protected],zlib,none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes256-ctr
debug2: ciphers stoc: [email protected],aes256-ctr
debug2: MACs ctos: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: MACs stoc: [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group18-sha512
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 4121/8192
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:BuDY...IfNg
debug3: verify_host_key_dns
debug1: skipped DNS lookup for numerical hostname
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: put_host_port: [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug3: hostkeys_foreach: reading file "/Users/macUsr/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/macUsr/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys from [SRVR3.IPv4.ADRS]:5022
debug1: Host '[SRVR3.IPv4.ADRS]:5022' is known and matches the RSA host key.
debug1: Found key in /Users/macUsr/.ssh/known_hosts:11
debug2: bits set: 4153/8192
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 6553600 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 6553600 blocks
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3 (0x7ff42f411ff0), explicit, agent
debug2: key:  (0x7ff42f412950), agent
debug2: key: [email protected] (0x7ff42f413430), agent
debug2: key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr (0x7ff42f50e900), explicit
debug2: key: /Users/macUsr/.ssh/id_rsa-8kb_key_MB_macUsr (0x7ff42f50ea30), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,hostbased
debug3: start over, passed a different list publickey,hostbased
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/macUsr/.ssh/id_rsa-16kb_key_MB_macUsr_to_SRVR3
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 2071
debug2: input_userauth_pk_ok: fp SHA256:s+We...4zeM
debug3: sign_and_send_pubkey: RSA SHA256:s+We...4zeM
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
Authenticated to SRVR3.IPv4.ADRS ([SRVR3.IPv4.ADRS]:5022).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env ...
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env ...
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Linux SRVR3 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 15 01:20:03 2019 from cpe-NNN-NNN-NNN-NNN.socal.res.rr.com
root@SRVR3:~#

따라서 위에서 nftables가 다운되면 강력한 SSH 키를 사용하는 Server-3의 SSH 로그인이 즉시(약 7초 이내에) 적용된다는 것을 명확하게 볼 수 있습니다.

하지만 nftables 방화벽이 켜져 있거나 활성화되어 있을 때 SSH를 통해 서버에 로그인하고 싶습니다.

위에 표시된 줄 번호는 공개 보기에서 덜 필요한 부분을 제거하기 위해 많은 주석/주석 줄을 제거했기 때문에 표시된 구성 파일과 일치하지 않습니다.

이제 macOSbook(클라이언트) 컴퓨터 측에서구성/설정 정보:

사용자의 SSH 구성 및 SSH 키 쌍 파일과 해당 권한 및 소유권:

macOSbook:~ macUsr$ cd ~/.ssh/
macOSbook:.ssh macUsr$ ls -lGA
total 608
-rw-r--r--@ 1 macUsr  staff   6148 Jul 25 18:36 .DS_Store
drwx------  5 macUsr  admin    170 Aug  8 23:54 allow_keys
-rw-------@ 1 macUsr  admin  57140 Aug 15 04:08 config
drwx------  2 macUsr  admin     68 Jul 25 18:36 disallow_keys
-rw-------  1 macUsr  admin   1766 Feb 28  2016 github_rsa
-rw-r-----@ 1 macUsr  admin    399 Feb 28  2016 github_rsa.pub
-rw-------  1 macUsr  admin    419 Jul 25 05:51 id_ed25519_key_MB_macUsr
-rw-r-----  1 macUsr  admin    104 Jul 25 05:51 id_ed25519_key_MB_macUsr.pub
-rw-------  1 macUsr  admin    419 Jul 25 05:50 id_ed25519_key_MB_macUsr_to_SRVR1
-rw-r-----  1 macUsr  admin    104 Jul 25 05:50 id_ed25519_key_MB_macUsr_to_SRVR1.pub
-rw-------  1 macUsr  admin    419 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR2
-rw-r-----  1 macUsr  admin    104 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR2.pub
-rw-------  1 macUsr  admin    419 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR3
-rw-r-----  1 macUsr  admin    104 Jul 25 05:51 id_ed25519_key_MB_macUsr_to_SRVR3.pub
-rw-------  1 macUsr  admin  12603 Jul 25 05:43 id_rsa-16kb_key_MB_macUsr
-rw-r-----  1 macUsr  admin   2796 Jul 25 05:43 id_rsa-16kb_key_MB_macUsr.pub
-rw-------  1 macUsr  admin  12603 Jul 25 05:21 id_rsa-16kb_key_MB_macUsr_to_SRVR1
-rw-r-----  1 macUsr  admin   2796 Jul 25 05:21 id_rsa-16kb_key_MB_macUsr_to_SRVR1.pub
-rw-------  1 macUsr  admin  12603 Jul 25 05:30 id_rsa-16kb_key_MB_macUsr_to_SRVR2
-rw-r-----  1 macUsr  admin   2796 Jul 25 05:30 id_rsa-16kb_key_MB_macUsr_to_SRVR2.pub
-rw-------  1 macUsr  admin  12603 Jul 25 05:38 id_rsa-16kb_key_MB_macUsr_to_SRVR3
-rw-r-----  1 macUsr  admin   2796 Jul 25 05:38 id_rsa-16kb_key_MB_macUsr_to_SRVR3.pub
-rw-------  1 macUsr  admin   6363 Jul 25 05:49 id_rsa-8kb_key_MB_macUsr
-rw-r-----  1 macUsr  admin   1428 Jul 25 05:49 id_rsa-8kb_key_MB_macUsr.pub
-rw-------  1 macUsr  admin   6363 Jul 25 05:44 id_rsa-8kb_key_MB_macUsr_to_SRVR1
-rw-r-----  1 macUsr  admin   1428 Jul 25 05:44 id_rsa-8kb_key_MB_macUsr_to_SRVR1.pub
-rw-------  1 macUsr  admin   6363 Jul 25 05:47 id_rsa-8kb_key_MB_macUsr_to_SRVR2
-rw-r-----  1 macUsr  admin   1428 Jul 25 05:47 id_rsa-8kb_key_MB_macUsr_to_SRVR2.pub
-rw-------  1 macUsr  admin   6367 Jul 25 05:48 id_rsa-8kb_key_MB_macUsr_to_SRVR3
-rw-r-----  1 macUsr  admin   1428 Jul 25 05:48 id_rsa-8kb_key_MB_macUsr_to_SRVR3.pub
drwx------  5 macUsr  admin    170 Aug  8 23:54 keys_from_others
-rw-------  1 macUsr  admin   9467 Aug  8 19:00 known_hosts

SSH 구성(시스템 전체) 파일과 해당 권한 및 소유권:

macOSbook:~ macUsr$ cd /etc/ssh
macOSbook:ssh macUsr$ ls -lGA
total 120
drwxr-x---  7 macUsr  wheel     238 Aug  7 18:19 bak_2019-08-07
-rw-r-----  1 root    wheel  553185 Jan 23  2017 moduli
-rw-r-----  1 root    wheel    4546 Aug 15 03:46 ssh_config
-rw-r-----  1 root    wheel    1676 Jul 30  2016 ssh_config~orig
-rw-r-----  1 root    wheel    5333 Aug 10 00:08 sshd_config
-rw-r-----  1 root    wheel    4161 Jun  3  2015 sshd_config~previous

저는 16kbit RSA 키만 사용합니다.

(구성 파일의) 관련 코드를 여기에 직접 붙여넣을 수 없습니다. StackOverFlow/StackExchange는 30k 이후에 오버플로됩니다!

따라서 코드/config/etc를 github gist에 붙여넣고 여기에 링크를 공유하세요.

이는 macOS(SSH 클라이언트) 컴퓨터용입니다.~/.ssh/config문서.

이것은 Server-3(SSH 서버) 컴퓨터입니다./etc/ssh/sshd_config문서.

이것은 Server-3(SSH 서버) 컴퓨터입니다./etc/nftables.conf문서.

Server-3 "루트" 사용자의 SSH 구성 및 SSH 키 쌍 ID 파일은 해당 권한 및 소유권과 함께 ~/.ssh/ 폴더에 있습니다.

root@SRVR3:~# ls -aLAlist --color=auto ~/.ssh/
total 100
 393217  4 drwx------ 9 root root  4096 Aug 16 03:42 ..
 393227  4 drwx------ 2 root root  4096 Aug  8 18:53 .
1711181  4 -rw-r----- 1 root root  2781 Aug  8 18:22 id_rsa_key_SRVR1_To_SRVR3.pub
1711180  4 -rw-r----- 1 root root  2781 Aug  8 18:22 id_rsa_key_SRVR2_To_SRVR3.pub
1711181  4 -rw-r----- 1 root root  2781 Aug  8 18:22 id_rsa_key_DEB1_To_SRVR3.pub
1711180  4 -rw-r----- 1 root root  2781 Aug  8 18:22 id_rsa_key_DEB2_To_SRVR3.pub
1711179  4 -rw-r----- 1 root root  2796 Aug  8 18:22 id_rsa-16kb_key_MB_macUsr_to_SRVR3.pub
1711178  4 -rw-r----- 1 root root  2781 Aug  8 18:21 id_rsa_key_SRVR3.pub
1711175 16 -rw------- 1 root root 12717 Aug  8 18:21 id_rsa_key_SRVR3_To_SRVR1
1711176  4 -rw-r----- 1 root root  2781 Aug  8 18:21 id_rsa_key_SRVR3_To_SRVR1.pub
1711171 16 -rw------- 1 root root 12717 Aug  8 18:21 id_rsa_key_SRVR3_To_SRVR2
1711174  4 -rw-r----- 1 root root  2781 Aug  8 18:21 id_rsa_key_SRVR3_To_SRVR2.pub
1711177 16 -rw------- 1 root root 12717 Aug  8 18:21 id_rsa_key_SRVR3
1705032  4 -rw------- 1 root root   399 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR2
1705033  4 -rw-r----- 1 root root    89 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR2.pub
1705030  4 -rw------- 1 root root   399 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR1
1705031  4 -rw-r----- 1 root root    89 Jul 25 00:30 id_ed25519_key_SRVR3_To_SRVR1.pub
 393228 12 -rw------- 1 root root 10103 Aug  2 18:06 authorized_keys
 393223  8 -rw------- 1 root root  4300 Jul 25 22:24 known_hosts

Server-3 /etc/ssh/ 폴더의 SSH 구성 및 SSH 호스트 키 쌍 파일과 해당 권한 및 소유권:

root@SRVR3:~# ls -aLAlist --color=auto /etc/ssh/
total 760
1704605   4 drwxr-xr-x  6 root root   4096 Aug 14 22:38 .
1703937   4 drwxr-xr-x 96 root root   4096 Aug 14 22:31 ..
1704958  20 -rw-r-----  1 root root  17775 Aug 14 19:10 sshd_config
1704606  36 -rw-r--r--  1 root root  33098 Aug  7 23:01 ssh_config
1704954   4 -rw-r-----  1 root root   2781 Jul 23 06:00 ssh_host_rsa_key_SRVR3.pub
1704927  16 -rw-------  1 root root  12717 Jul 23 06:00 ssh_host_rsa_key_SRVR3
1704291   4 -rw-------  1 root root    399 Jul 23 05:58 ssh_host_ed25519_key_SRVR3
1704920   4 -rw-r-----  1 root root     89 Jul 23 05:58 ssh_host_ed25519_key_SRVR3.pub
1704047   4 drwxr-x---  2 root root   4096 Jul 23 05:57 bak
1704625 552 -rw-r-----  1 root root 565189 Apr  8 03:13 moduli

nftables가 활성화/켜졌을 때 macOS/모든 SSH 클라이언트가 SSH 서버에 로그인할 수 있도록 문제를 찾아 수정하도록 도와주세요.

편집: Server-3에 파일 권한 + 소유권 목록을 추가했습니다.

답변1

nftables 방화벽을 사용할 때 큰 SSH 키와 SSH 연결을 사용하면 분명히 SSH가 다양한 구성 요소를 처리하고 통과하는 데 조금 더 오래 걸리기 때문에 전체 SSH 인증 프로세스에 더 많은 시간이 걸리지만 내가 지정/구성한 시간 설정이 충분하지 않았습니다.

nftables가 활성화/켜지지 않은 경우 이전 macOS 시스템에서 Server-3으로의 SSH 연결은 일반적으로 약 10초가 걸립니다. (따라서 nftables가 로드/실행되지 않을 때는 초기 시간 설정인 20초 또는 18초이면 충분합니다.)
그러나 SSH 서버에서 nftables가 로드되고 열리거나 활성화되면 이전 macOS 시스템(및 서버 측 nftables 네트워크 패킷 필터링 활동 등)이 SSH 인증 프로세스를 완료하는 데 추가로 15~20초가 필요합니다.

이것해결책: 제한 시간/간격/활동 길이 값 늘리기(ServerAliveInterval+ServerAliveCountMax 및 ClientAliveInterval+살아있는 최대 클라이언트 수),또는,시간 초과 설정 제거(기본값 사용), 다음과 같습니다.

이 줄을 제거/비활성화(또는 주석 처리)합니다.~/.ssh/configmacOS SSH 클라이언트 컴퓨터의 파일:

# ConnectTimeout 30
# ConnectTimeout 15
# ConnectTimeout 18
# ConnectionAttempts 1

~/.ssh/config 파일에서 다음 설정/라인을 변경했습니다.

보낸 사람:
ServerAliveInterval 20
ServerAliveCountMax
1보다 큰 설정은 20 x 1 = 20초 동안만 연결을 활성 상태로 유지합니다.

도착하다:

ServerAliveInterval 18  
ServerAliveCountMax 2

위 설정은 18 x 2 = 36초 동안 연결을 유지합니다.

다음 설정/라인을 변경했습니다./etc/ssh/sshd_configDebian-10 서버 시스템의 파일:

보낸 사람:
ClientAliveInterval 30
ClientAliveCountMax
1보다 큰 설정은 30 x 1 = 30초 동안만 연결을 활성 상태로 유지합니다.

도착하다:

ClientAliveInterval 18
ClientAliveCountMax 2

위 설정은 18 x 2 = 36초 동안 연결을 유지합니다.

(macOS)의 로깅 정보: man ssh_config

ServerAliveCountMax
    Sets the number of server alive messages (see below) which may be
    sent without ssh(1) receiving any messages back from the server.
    If this threshold is reached while server alive messages are being
    sent, ssh will disconnect from the server, terminating the session.
    It is important to note that the use of server alive messages is
    very different from TCPKeepAlive (below).  The server alive messages
    are sent through the encrypted channel and therefore will not be
    spoofable.  The TCP keepalive option enabled by TCPKeepAlive is
    spoofable.  The server alive mechanism is valuable when the client
    or server depend on knowing when a connection has become inactive.

    The default value is 3.  If, for example, ServerAliveInterval (see
    below) is set to 15 and ServerAliveCountMax is left at the default,
    if the server becomes unresponsive, ssh will disconnect after
    approximately 45 seconds.

ServerAliveInterval
    Sets a timeout interval in seconds after which if no data has been
    received from the server, ssh(1) will send a message through the
    encrypted channel to request a response from the server.
    The default is 0, indicating that these messages will not be sent
    to the server.

ConnectionAttempts
    Specifies the number of tries (one per second) to make before exiting.
    The argument must be an integer.  This may be useful in scripts if
    the connection sometimes fails.  The default is 1.

ConnectTimeout
    Specifies the timeout (in seconds) used when connecting to the SSH
    server, instead of using the default system TCP timeout.  This value
    is used only when the target is down or really unreachable, not
    when it refuses the connection.

(Debian Server-3)의 로깅 정보: man sshd_config

ClientAliveCountMax
    Sets the number of client alive messages which may be sent without
    sshd(8) receiving any messages back from the client.  If this threshold
    is reached while client alive messages are being sent, sshd will
    disconnect the client, terminating the session.  It is important to
    note that the use of client alive messages is very different from
    TCPKeepAlive.  The client alive messages are sent through the
    encrypted channel and therefore will not be spoofable.  The TCP
    keepalive option enabled by TCPKeepAlive is spoofable.
    The client alive mechanism is valuable when the client or server
    depend on knowing when a connection has become inactive.

    The default value is 3.  If ClientAliveInterval is set to 15, and
    ClientAliveCountMax is left at the default, unresponsive SSH clients
    will be disconnected after approximately 45 seconds.

ClientAliveInterval
    Sets a timeout interval in seconds after which if no data has been
    received from the client, sshd(8) will send a message through the
    encrypted channel to request a response from the client.  The default
    is 0, indicating that these messages will not be sent to the client.

위 단락에서 언급된 설정이 수정되면 이제 nftables가 ON/활성화되어 있어도 모든 SSH 클라이언트 컴퓨터가 SSH 서버에 연결할 수 있습니다. 현재 SSH를 통한 연결은 nftables 방화벽이 켜져/활성화된 상태에서 약 35~45초가 소요됩니다.

20~40초 안에(Debian ssh- 사이) 또 다른 SSH 터널을 다시 만들고 싶기 때문에 이러한 설정/시간 값을 더욱 미세 조정해야 합니다. 클라이언트 및 Debian SSH 서버).

관련 정보