银河麒麟 SSH Vscode连接
SSH连接错误:
[20:04:32.376] Failed to set up socket for dynamic port forward to remote port 38671: Socket closed. TCP port forwarding may be disabled, or the remote server may have crashed. See the VS Code Server log above for details.
[20:04:32.376] Failed to set up socket for dynamic port forward to remote port 38671: Socket closed. TCP port forwarding may be disabled, or the remote server may have crashed. See the VS Code Server log above for details.
[20:04:32.401] > channel 3: open failed: administratively prohibited: open failed
> channel 4: open failed: administratively prohibited: open failed
[20:04:32.402] ERROR: TCP port forwarding appears to be disabled on the remote host. Ensure that the sshd_config has AllowTcpForwarding yes. Contact your system administrator if needed.
一、 检查 sshd_config 配置文件
sudo vi /etc/ssh/sshd_config
1. 以下参数正确设置,并且配置已生效。
AllowTcpForwarding yes # 启用端口转发
X11Forwarding yes
PermitTunnel yes
ListenAddress 0.0.0.0
# 让 SSH 同时监听端口 22 和 42717
Port 22
Port 42717
# PermitOpen none
请确保 PermitOpen 没有限制端口的开放:
你的配置文件中有 PermitOpen none,这会禁用所有端口的转发。
你可以尝试注释掉这行或修改为允许特定端口的转发。
2. 修改配置后,需要重启 SSH 服务,使更改生效:
sudo systemctl restart sshd
3. 全部代码为:
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port 22
Port 42717
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
PermitTunnel yes
#ChrootDirectory none
#VersionAddendum none
# no default banner path
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding yes
AllowTcpForwarding yes
# PermitTTY no
# ForceCommand cvs server
# PermitOpen none
二、检查防火墙设置
确保防火墙没有阻止端口转发。可以使用以下命令查看防火墙规则(以 firewalld 为例):
sudo firewall-cmd --list-all
如果防火墙阻止了 SSH 或特定端口的流量,你可以打开相应的端口,例
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload
1. 添加端口转发规则
如果你需要将特定的端口转发到本地或其他端口,可以使用 --add-forward-port 添加端口转发。例如,如果你要将本地的某个端口转发到远程服务器的端口,可以按如下方式添加:
sudo firewall-cmd --add-forward-port=port=42717:proto=tcp:toport=42717 --permanent
sudo firewall-cmd --reload
这将转发本地端口 42717 到远程端口 42717。
2. 启用 masquerading (NAT)
如果你需要使用端口转发或 NAT,建议启用 masquerading(网络地址转换)。这对于某些类型的端口转发是必要的,尤其是当防火墙位于 NAT 路由器或具有多个网络接口的服务器时:
sudo firewall-cmd --add-masquerade --permanent
sudo firewall-cmd --reload
3. 确保防火墙允许其他必需端口
如果需要转发其他特定端口(如在 VS Code 中使用的端口),确保它们也被防火墙允许。例如,如果你需要 42717 端口在防火墙中开放,可以添加:
sudo firewall-cmd --add-port=42717/tcp --permanent
sudo firewall-cmd --reload
4. 检查防火墙规则是否生效
更改配置后,使用以下命令检查防火墙的当前规则是否正确:
sudo firewall-cmd --list-all
总结
根据当前的防火墙配置,ssh 端口(22/tcp)是开放的,但是没有设置端口转发和 masquerading。如果你需要进行端口转发,务必添加相关规则并启用 masquerading,然后重新加载防火墙配置。
确保 AllowTcpForwarding 被启用: 如果防火墙是启用的,可以通过 firewall-cmd 来允许端口 42717 的转发。
例如,启用端口转发:
sudo firewall-cmd --zone=public --add-port=42717/tcp --permanent
sudo firewall-cmd --reload
检查端口转发规则是否生效: 使用 ss 或 netstat 确认服务器是否正确监听了所需的端口。
sudo ss -tuln | grep 42717
检查防火墙是否有特殊限制: 确认是否有 rich rules 或其他更细粒度的限制,阻止了端口转发。你可以使用以下命令查看详细的 rich rules 配置:
sudo firewall-cmd --list-rich-rules