ubuntu无法ssh到远程服务器

1 问题openstack环境下创建了一个虚拟机，为虚拟机分配了浮动IP: 192.168.50.61。但是从ubuntu14.04服务器192.168.50.5上无法ssh到虚拟机服务器，SSH xxx@ip 就没有反应，也没有报错，可以PING通对方，TELNET对方的22端口也是通的。使用ssh -vv看卡在哪里，出现错误：root@node5:~# ssh -vv

翟海飞

3186人浏览 · 2017-11-30 14:52:45

翟海飞 · 2017-11-30 14:52:45 发布

1 问题

openstack环境下创建了一个虚拟机，为虚拟机分配了浮动IP: 192.168.50.61。但是从ubuntu14.04服务器192.168.50.5上无法ssh到虚拟机服务器，SSH xxx@ip 就没有反应，也没有报错，可以PING通对方，TELNET对方的22端口也是通的。

使用ssh -vv看卡在哪里，出现错误：

root@node5:~# ssh -vv ubuntu@192.168.50.61
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.50.61 [192.168.50.61] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
...
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

然后就一直卡住不动了。

2 方法

查看原因是在192.168.50.5服务器上mtu设置太大：http://www.snailbook.com/faq/mtu-mismatch.auto.html

Change the network interface MTU to solve it. This is a bug for ubuntu 14.04.
This worked for me:

sudo ip li set mtu 1200 dev wlan0
Or:
sudo ifconfig wlan0 mtu 1200

参考： https://superuser.com/questions/568891/ssh-works-in-putty-but-not-terminal

查看本机：

root@node5:~# ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether ac:16:2d:0b:a8:9b brd ff:ff:ff:ff:ff:ff

修改网卡mtu后问题解决。

root@node5:~# ip li set mtu 1200 dev p5p1
root@node5:~# ssh ubuntu@192.168.50.61
ubuntu@192.168.50.61's password: 
root@node5:~# ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1200 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether ac:16:2d:0b:a8:9b brd ff:ff:ff:ff:ff:ff

3 其它方法

3.1 echo "1200" > /sys/class/net/eth0/mtu

现象：主机间互通正常且可以判断对方ssh端口是开放的，但是用ssh xxx.xxx.xxx.xxx -v这种方式连接的时候会卡在debug1: SSH2_MSG_KEXINIT sent这步

解决方法：echo "1200" > /sys/class/net/eth0/mtu

原因：详情参考http://techbackground.blogspot.com/2013/06/path-mtu-discovery-and-gre.html 简单解释就是IPV4报头与GRE报头结构不同，导致GRE数据包最大内容载荷只有1454，默认mtu如果是1500的话，就会有46字节的内容无法处理导致错误

3.2 修改/etc/ssh/ssh_config

The solution was found here: SSH works in putty but not terminal

in Ubuntu 13.10/12.10, login and gain sudo access.

Edit /etc/ssh/ssh_config, uncomment the following lines

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Add the following line

HostKeyAlgorithms ssh-rsa,ssh-dss

You should end up with your /etc/ssh/ssh_config file looking like this

Host *
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
HostKeyAlgorithms ssh-rsa,ssh-dss

Now run ssh -T -v git@github.com and it will ask you to add the server to your known hosts file. Hit yes, and then it should welcome you to the server.

3.3 修改内核

SSH xxx@ip 就没有反应了，也没有报错

可以PING通对方，TELNET对方的22端口也是通到
局域网里到WINDOWS使用PUTTY是可以链接到远程主机到
真是奇怪呀

uncoffee@suncoffee:~$ ssh -v IP
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to IP [IP] port 22.
debug1: Connection established.
debug1: identity file /home/suncoffee/.ssh/id_rsa type -1
debug1: identity file /home/suncoffee/.ssh/id_rsa-cert type -1
debug1: identity file /home/suncoffee/.ssh/id_dsa type -1
debug1: identity file /home/suncoffee/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent

到这里就停了，没有反应了

解决办法：修改内核参数
net.ipv4.tcp_rmem = 4096 87380 207520

4 如何修改内核

查看当前系统参数sysctl -a
手动修改（当前有效，重启后无效）joy@joy:~$ cat /proc/sys/net/ipv4/icmp_echo_ignore_all0joy@joy:~$ echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
命令修改（当前有效，重启后无效）sysctl -w net.ipv4.icmp_echo_ignore_all=1 （参数名与=文件路径去掉/proc/sys/，且"/ "改成"."）
配置文件中修改（当前无效，重启永久生效）vim /etc/sysctl.conf添加net.ipv4.icmp_echo_ignore_all=1
让其修改后立刻生效 sysctl -p
参数迁移1、当初当前主机所有配置sysctl -a > mysys.conf
2、拷贝到其他主机并执行sysctl -p -f mysys.conf
3、如果使用2套参数文件后性能大不相同，可对比2个参数文件