作者主題: CentOS7系统服务端用xinetd服务托管sshd后，无法在客户端进行ssh连接 (閱讀 1829 次)

nerazzurri23 · « 於: 2022-03-07 23:00 »

本人想实现在CentOS7虚拟机操作系统中，用xinetd服务实现对sshd的托管，前期准备工作已做好（将xinetd服务安装好并成功启动，把sshd服务暂时关闭）。
[root:lk ~]# systemctl status xinetd
xinetd.service - Xinetd A Powerful Replacement For Inetd
Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)
Active: active (running) since 一 2022-03-07 22:29:17 CST; 5s ago
Process: 5061 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)
Main PID: 5063 (xinetd)
Tasks: 1
CGroup: /system.slice/xinetd.service
└─5063 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid

3月 07 22:29:17 lk xinetd[5063]: removing discard
3月 07 22:29:17 lk xinetd[5063]: removing discard
3月 07 22:29:17 lk xinetd[5063]: removing echo
3月 07 22:29:17 lk xinetd[5063]: removing echo
3月 07 22:29:17 lk xinetd[5063]: removing http
3月 07 22:29:17 lk xinetd[5063]: removing tcpmux
3月 07 22:29:17 lk xinetd[5063]: removing time
3月 07 22:29:17 lk xinetd[5063]: removing time
3月 07 22:29:17 lk xinetd[5063]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in.
3月 07 22:29:17 lk xinetd[5063]: Started working: 1 available service
开始配置ssh被xinetd托管：
[root:lk ~]# vim /etc/xinetd.d/ssh
service ssh
{
disable = no
log_on_failure += USERID
socket_type = stream
server_args = --daemon
cps = 25 30
protocol = tcp
wait = no
user = root
server = /usr/sbin/sshd
server_args = -i
}
配置后重新启动xinetd服务，分别用lsof和netstat命令查看，均发现22端口的进程由sshd成功变为了xinetd。
[root:lk ~]# lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xinetd 4351 root 5u IPv6 61399 0t0 TCP *:ssh (LISTEN)
[root:lk ~]# netstat -tunlp | grep 22
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2086/dnsmasq
tcp6 0 0 :::22 :::* LISTEN 4351/xinetd
udp 0 0 192.168.122.1:53 0.0.0.0:* 2086/dnsmasq
看似是托管成功了，但是无论是用宿主机windows操作系统的putty还是另一台CentOS虚拟机，通过ssh连接本机都提示连接失败。
[ljr@ljr ~]$ ssh root@192.168.0.8
ssh_exchange_identification: read: Connection reset by peer
尝试用tcpdump监测一下数据包（服务端的IP为192.168.0.8，客户端为192.168.0.12）：
[root:lk ~]# tcpdump -i any 'net 192.168.0.8' -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
22:41:53.307817 IP 192.168.0.8.52300 > 103.46.128.21.6061: UDP, length 49
22:42:03.311605 IP 192.168.0.8.52300 > 103.46.128.21.6061: UDP, length 49
22:42:09.512261 IP 192.168.0.12.40490 > 192.168.0.8.22: Flags , seq 1824343999, win 29200, options [mss 1460,sackOK,TS val 715201 ecr 0,nop,wscale 7], length 0
22:42:09.512326 IP 192.168.0.8.22 > 192.168.0.12.40490: Flags [S.], seq 3806321350, ack 1824344000, win 28960, options [mss 1460,sackOK,TS val 3279051 ecr 715201,nop,wscale 7], length 0
22:42:09.512529 IP 192.168.0.12.40490 > 192.168.0.8.22: Flags [.], ack 1, win 229, options [nop,nop,TS val 715202 ecr 3279051], length 0
22:42:09.513146 IP 192.168.0.12.40490 > 192.168.0.8.22: Flags [P.], seq 1:22, ack 1, win 229, options [nop,nop,TS val 715202 ecr 3279051], length 21
22:42:09.513171 IP 192.168.0.8.22 > 192.168.0.12.40490: Flags [.], ack 22, win 227, options [nop,nop,TS val 3279052 ecr 715202], length 0
22:42:09.635092 IP 192.168.0.8.22 > 192.168.0.12.40490: Flags [P.], seq 1:22, ack 22, win 227, options [nop,nop,TS val 3279172 ecr 715202], length 21
22:42:09.635422 IP 192.168.0.12.40490 > 192.168.0.8.22: Flags [.], ack 22, win 229, options [nop,nop,TS val 715325 ecr 3279172], length 0
22:42:09.635447 IP 192.168.0.8.22 > 192.168.0.12.40490: Flags [P.], seq 22:263, ack 22, win 227, options [nop,nop,TS val 3279174 ecr 715325], length 241
22:42:09.635585 IP 192.168.0.12.40490 > 192.168.0.8.22: Flags [.], ack 263, win 237, options [nop,nop,TS val 715325 ecr 3279174], length 0
22:42:09.635897 IP 192.168.0.8.22 > 192.168.0.12.40490: Flags [R.], seq 263, ack 22, win 227, options [nop,nop,TS val 3279174 ecr 715325], length 0
22:42:11.064094 IP 192.168.0.12.619 > 192.168.0.8.1011: UDP, length 52
22:42:11.064304 IP 192.168.0.8.1011 > 192.168.0.12.619: UDP, length 28
22:42:13.314268 IP 192.168.0.8.52300 > 103.46.128.21.6061: UDP, length 49
22:42:14.462993 IP 121.40.190.194.6061 > 192.168.0.8.52624: Flags [P.], seq 3461462706:3461462758, ack 2249659564, win 29200, length 52
22:42:14.463572 IP 192.168.0.8.52624 > 121.40.190.194.6061: Flags [P.], seq 1:33, ack 52, win 30016, length 32
22:42:14.490735 IP 121.40.190.194.6061 > 192.168.0.8.52624: Flags [.], ack 33, win 29200, length 0
22:42:14.588564 IP 103.46.128.21.6061 > 192.168.0.8.53536: Flags [P.], seq 4258884867:4258884919, ack 661918797, win 107, options [nop,nop,TS val 2782137010 ecr 3224128], length 52
22:42:14.588801 IP 192.168.0.8.53536 > 103.46.128.21.6061: Flags [P.], seq 1:33, ack 52, win 245, options [nop,nop,TS val 3284127 ecr 2782137010], length 32
22:42:14.630890 IP 103.46.128.21.6061 > 192.168.0.8.53536: Flags [.], ack 33, win 107, options [nop,nop,TS val 2782137052 ecr 3284127], length 0
22:42:18.450070 IP 192.168.0.1.63664 > 192.168.0.8.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
22:42:18.450984 IP 192.168.0.8.137 > 192.168.0.1.63664: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST
22:42:23.317328 IP 192.168.0.8.52300 > 103.46.128.21.6061: UDP, length 49
22:42:23.458190 ARP, Request who-has 192.168.0.8 tell 192.168.0.1, length 46
22:42:23.458223 ARP, Reply 192.168.0.8 is-at 00:0c:29:68:33:1a, length 28
22:42:26.303393 IP 192.168.0.105.62840 > 192.168.0.8.22: Flags [P.], seq 1153383338:1153383374, ack 3773449230, win 8208, length 36
22:42:26.303527 IP 192.168.0.8.22 > 192.168.0.105.62840: Flags [.], ack 36, win 266, length 0
22:42:31.067121 IP 192.168.0.12.620 > 192.168.0.8.1011: UDP, length 52
22:42:31.067503 IP 192.168.0.8.1011 > 192.168.0.12.620: UDP, length 28
22:42:31.113435 ARP, Request who-has 192.168.0.8 (00:0c:29:68:33:1a) tell 192.168.0.105, length 46
22:42:31.113465 ARP, Reply 192.168.0.8 is-at 00:0c:29:68:33:1a, length 28
22:42:33.321221 IP 192.168.0.8.52300 > 103.46.128.21.6061: UDP, length 49
^C
33 packets captured
48 packets received by filter
0 packets dropped by kernel

看了一下日志，也没有发现明显的异常：
Mar 7 21:56:14 lk systemd: Stopping OpenSSH server daemon...
Mar 7 21:56:14 lk systemd: Stopped OpenSSH server daemon.
Mar 7 21:57:19 lk systemd: Stopping Xinetd A Powerful Replacement For Inetd...
Mar 7 21:57:19 lk xinetd[1371]: unexpected signal: 18 (Continued) in signal pipe
Mar 7 21:57:19 lk xinetd[1371]: Exiting...
Mar 7 21:57:19 lk systemd: Stopped Xinetd A Powerful Replacement For Inetd.
Mar 7 21:57:19 lk systemd: Starting Xinetd A Powerful Replacement For Inetd...
Mar 7 21:57:19 lk systemd: Can't open PID file /var/run/xinetd.pid (yet?) after start: No such file or directory
Mar 7 21:57:20 lk systemd: Started Xinetd A Powerful Replacement For Inetd.
Mar 7 21:57:20 lk xinetd[4351]: Service http: attribute already set: server_args [file=/etc/xinetd.d/http] [line=11]
Mar 7 21:57:20 lk xinetd[4351]: Service ssh: attribute already set: server_args [file=/etc/xinetd.d/ssh] [line=11]
Mar 7 21:57:20 lk xinetd[4351]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in.
Mar 7 21:57:20 lk xinetd[4351]: Started working: 1 available service
研究了许久，看不出是哪里出了问题，急需有经验的大神们帮忙分析一下原因，感激不尽！

rainday · « **回覆 #1 於:** 2022-03-31 17:05 »

sshd有這個啟動參數嗎我看man是沒有，只有-D
server_args = --daemon
應該是多了錯誤參數導致服務沒有正常啟動
xinetd只是個前置程序，連線進來時由xinetd去啟動sshd，所以sshd必須正確啟動才能提供服務

nerazzurri23 · « **回覆 #2 於:** 2022-04-03 21:25 »

感谢你的回答！
不过试了一下server args=- D还是不行，不知道是哪里的问题。而且提示 “Connection reset by IP地址 port 22”，和之前的提示“Connection reset by peer”不一样了。
请问你有没有用过xinetd这个服务，里边的参数都是怎么设定的，可否参考一下，希望能够再次给我启发，多谢多谢！！

rainday · « **回覆 #3 於:** 2022-04-11 15:09 »

不確定你這是打錯了嗎多個空格在D前面 "server args=- D"
我自己試過，沒有什麼特別設定，我照基本的設定後是正常的

service ssh
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/sshd
server_args = -i
port = 22
disable = no
}

telnet ip 22也能看到ssh版本資訊
你要看你sshd服務log , 在啟動時有沒有錯誤訊息

酷!學園

最新消息: