SSH连接调试：逐行解读SSH -vvv的输出信息

引言

SSH是我们在远程连接服务器时经常使用的协议。ssh -vvv命令能提供大量的调试信息，帮助我们理解SSH连接过程中到底发生了什么。但是，这些信息常常让人感到困惑。在这篇博文中，我们将一步一步地解读ssh -vvv输出的日志信息。

示例信息：

 ssh -vvv user@10.0.0.1
OpenSSH_8.2p1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for 'final all' host 10.0.0.1 originally 10.0.0.1
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 10.0.0.1 is address
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for 'final all' host 10.0.0.1 originally 10.0.0.1
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug2: ssh_connect_direct
debug1: Connecting to 10.0.0.1 [10.0.0.1] port 22.  

逐行解读

1. SSH和OpenSSL版本

OpenSSH_8.2p1, OpenSSL 1.1.1f 31 Mar 2020

这一行告诉我们SSH客户端使用的是OpenSSH的8.2p1版本，以及使用的OpenSSL版本为1.1.1f。

2. 读取配置文件

debug1: Reading configuration data /etc/ssh/ssh_config

SSH客户端开始读取/etc/ssh/ssh_config这个配置文件。

3. 包含其他配置文件

debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0

这行表示在ssh_config文件的第51行，包含了另一个配置文件/etc/ssh/ssh_config.d/05-redhat.conf。

4. 检查主机匹配

debug2: checking match for 'final all' host 10.76.77.100 originally 10.76.77.100 debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final' debug2: match not found

这几行在检查主机匹配规则。这里没有找到匹配的规则。

5. 读取加密策略

debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config

这里开始读取/etc/crypto-policies/back-ends/openssh.config，这通常是用来定义系统级别的加密策略。

6.Generic Security Service Application Program Interface

debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]

GSSAPI（Generic Security Service Application Program Interface）是一个用于各种安全服务的API，包括身份验证和加密。SSH可以通过GSSAPI来进行身份验证。

KEX（Key EXchange，密钥交换）密钥交换是SSH连接设置过程中的一个重要步骤。在这个阶段，客户端和服务器会协商并生成一个共享密钥，用于之后的加密通信。

7. 密钥交换算法

debug3: kex names ok: [curve25519-sha256@libssh.org,...,diffie-hellman-group1-sha1]

显示客户端支持哪些密钥交换算法。

8. 实际连接

debug2: ssh_connect_direct debug1: Connecting to 10.76.77.100 [10.76.77.100] port 22.

这里实际开始尝试连接到服务器10.76.77.100的22端口。

总结

使用ssh -vvv调试SSH连接不仅可以让我们了解SSH连接的内部机制，还能在排查问题时提供有价值的信息。希望通过本文的逐行解读，你能更好地理解SSH连接中的各个环节。

这样的信息对于了解SSH的连接机制和故障排查都是非常有用的。希望这篇文章能让你更好地理解SSH连接背后的细节。