当前位置: 首页 > article >正文

银河麒麟 SSH Vscode连接

SSH连接错误:

[20:04:32.376] Failed to set up socket for dynamic port forward to remote port 38671: Socket closed. TCP port forwarding may be disabled, or the remote server may have crashed. See the VS Code Server log above for details.
[20:04:32.376] Failed to set up socket for dynamic port forward to remote port 38671: Socket closed. TCP port forwarding may be disabled, or the remote server may have crashed. See the VS Code Server log above for details.
[20:04:32.401] > channel 3: open failed: administratively prohibited: open failed
> channel 4: open failed: administratively prohibited: open failed
[20:04:32.402] ERROR: TCP port forwarding appears to be disabled on the remote host. Ensure that the sshd_config has AllowTcpForwarding yes. Contact your system administrator if needed.

一、 检查 sshd_config 配置文件

sudo vi /etc/ssh/sshd_config
1. 以下参数正确设置,并且配置已生效。
AllowTcpForwarding yes # 启用端口转发
X11Forwarding yes
PermitTunnel yes
ListenAddress 0.0.0.0
# 让 SSH 同时监听端口 22 和 42717
Port 22
Port 42717
# PermitOpen none
请确保 PermitOpen 没有限制端口的开放:
你的配置文件中有 PermitOpen none,这会禁用所有端口的转发。
你可以尝试注释掉这行或修改为允许特定端口的转发。
2. 修改配置后,需要重启 SSH 服务,使更改生效:
sudo systemctl restart sshd
3. 全部代码为:
#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

Port 22
Port 42717
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
PermitTunnel yes
#ChrootDirectory none
#VersionAddendum none

# no default banner path
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding yes
AllowTcpForwarding yes
#	PermitTTY no
#	ForceCommand cvs server
# PermitOpen none

二、检查防火墙设置

确保防火墙没有阻止端口转发。可以使用以下命令查看防火墙规则(以 firewalld 为例):

sudo firewall-cmd --list-all

如果防火墙阻止了 SSH 或特定端口的流量,你可以打开相应的端口,例

sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload
1. 添加端口转发规则

如果你需要将特定的端口转发到本地或其他端口,可以使用 --add-forward-port 添加端口转发。例如,如果你要将本地的某个端口转发到远程服务器的端口,可以按如下方式添加:

sudo firewall-cmd --add-forward-port=port=42717:proto=tcp:toport=42717 --permanent
sudo firewall-cmd --reload

这将转发本地端口 42717 到远程端口 42717。

2. 启用 masquerading (NAT)

如果你需要使用端口转发或 NAT,建议启用 masquerading(网络地址转换)。这对于某些类型的端口转发是必要的,尤其是当防火墙位于 NAT 路由器或具有多个网络接口的服务器时:

sudo firewall-cmd --add-masquerade --permanent
sudo firewall-cmd --reload
3. 确保防火墙允许其他必需端口

如果需要转发其他特定端口(如在 VS Code 中使用的端口),确保它们也被防火墙允许。例如,如果你需要 42717 端口在防火墙中开放,可以添加:

sudo firewall-cmd --add-port=42717/tcp --permanent
sudo firewall-cmd --reload
4. 检查防火墙规则是否生效

更改配置后,使用以下命令检查防火墙的当前规则是否正确:

sudo firewall-cmd --list-all

总结
根据当前的防火墙配置,ssh 端口(22/tcp)是开放的,但是没有设置端口转发和 masquerading。如果你需要进行端口转发,务必添加相关规则并启用 masquerading,然后重新加载防火墙配置。

确保 AllowTcpForwarding 被启用: 如果防火墙是启用的,可以通过 firewall-cmd 来允许端口 42717 的转发。

例如,启用端口转发:

sudo firewall-cmd --zone=public --add-port=42717/tcp --permanent
sudo firewall-cmd --reload

检查端口转发规则是否生效: 使用 ss 或 netstat 确认服务器是否正确监听了所需的端口。

sudo ss -tuln | grep 42717

检查防火墙是否有特殊限制: 确认是否有 rich rules 或其他更细粒度的限制,阻止了端口转发。你可以使用以下命令查看详细的 rich rules 配置:

sudo firewall-cmd --list-rich-rules

http://www.kler.cn/a/449009.html

相关文章:

  • BERT模型入门(1)BERT的基本概念
  • ctfshow web入门文件上传总结
  • 贪心算法 part01
  • javaEE-线程的常用方法-4
  • java全栈day20--Web后端实战(Mybatis基础2)
  • 基于 uniapp 开发 android 播放 webrtc 流
  • C++简明教程(文章要求学过一点C语言)(2)
  • 【网络云计算】2024第52周-每日【2024/12/23】小测-理论实操
  • 【一文了解】C#重点-委托1
  • Linux下Java通过JNI调用C++
  • NodeMCU驱动28BYJ-48型步进电机(Arduino)
  • Golang中的Goroutine调度策略
  • 爬虫自动化(DrissionPage)
  • [机器学习]XGBoost(3)——确定树的结构
  • python实现Excel转图片
  • Flutter Visibility控件详解
  • 天锐绿盾加密软件与Ping32两款企业防泄密软件对比:分析文件防止泄露解决方案
  • Qt获取本地计算的CPU温度
  • AI在生活各处的利与弊
  • 青少年编程与数学 02-004 Go语言Web编程 17课题、静态文件
  • STM32完全学习——SPI接口的FLASH(DMA模式)
  • 使用GPT进行SCI论文润色常用语句
  • 【医学分割】跨尺度全局状态建模和频率边界指导的分割架构
  • APDL实体模式个性化画网格
  • (15)CT137A- 按键消抖设计
  • Linux Shell 脚本编程基础