# 现象

  • 在使用 SecureCRT 远程 SSH2 第一次连接服务器(端口:22)时,发现没有正常弹出输入密码的提示框,反而自动断开了连接。现象如图:
    SecureCRT

# 问题定位

  • 查看 SecureCRT 连接服务器过程的 traceLog(文件 -> 跟踪选项)如下:
traceLog
SecureCRT - Version 5.1.0 (build 263)
[本地]:SSH2Core version 4.1.0.254 
[本地]:Connecting to ip地址:22 ... 
[本地]:Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT. 
[本地]:Using protocol SSH2 
[本地]:RECV : Remote Identifier = "SSH-2.0-OpenSSH_8.0" 
[本地]:CAP  : Remote can re-key 
[本地]:CAP  : Remote sends language in password change requests 
[本地]:CAP  : Remote sends algorithm name in PK_OK packets 
[本地]:CAP  : Remote sends algorithm name in public key packets 
[本地]:CAP  : Remote sends algorithm name in signatures 
[本地]:CAP  : Remote sends error text in open failure packets 
[本地]:CAP  : Remote sends name in service accept packets 
[本地]:CAP  : Remote includes port number in x11 open packets 
[本地]:CAP  : Remote uses 160 bit keys for SHA1 MAC 
[本地]:CAP  : Remote supports new diffie-hellman group exchange messages 
[本地]:CAP  : Remote correctly handles unknown SFTP extensions 
[本地]:CAP  : Remote correctly sends UTF8 where UTF8 is specified 
[本地]:CAP  : Remote correctly encodes OID for gssapi 
[本地]:CAP  : Remote correctly uses connected addresses in forwarded-tcpip requests 
[本地]:CAP  : Remote is IETF-DRAFT compliant 
[本地]:CAP  : Remote VShell can do SFTP version 4 
[本地]:CAP  : Remote x.509v3 uses ASN.1 encoding for DSA signatures 
[本地]:SEND : KEXINIT 
[本地]:RECV : Read kexinit 
[本地]:Available Remote Kex Methods = curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 
[本地]:Selected Kex Method = diffie-hellman-group-exchange-sha1 
[本地]:Available Remote Host Key Algos = rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 
[本地]:Selected Host Key Algo = ssh-rsa 
[本地]:Available Remote Send Ciphers = aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc 
[本地]:Selected Send Cipher = aes256-cbc 
[本地]:Available Remote Recv Ciphers = aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc 
[本地]:Selected Recv Cipher = aes256-cbc 
[本地]:Available Remote Send Macs = hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 
[本地]:Selected Send Mac = hmac-sha1 
[本地]:Available Remote Recv Macs = hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 
[本地]:Selected Recv Mac = hmac-sha1 
[本地]:Available Remote Compressors = none,zlib@openssh.com 
[本地]:Selected Compressor = none 
[本地]:Available Remote Decompressors = none,zlib@openssh.com 
[本地]:Selected Decompressor = none 
[本地]:Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE. 
[本地]:SEND : KEXDH_GEX_REQUEST 
[本地]:RECV: TCP/IP close 
[本地]:Changing state from STATE_KEY_EXCHANGE to STATE_CLOSED. 
[本地]:Connected for 0 seconds, 503 bytes sent, 2138 bytes received
  • 其中异常日志为:
[本地]:Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE. 
[本地]:SEND : KEXDH_GEX_REQUEST 
[本地]:RECV: TCP/IP close 

异常日志分析:

  • 将连接状态从初始化秘钥(STATE_EXPECT_KEX_INIT)改为交换秘钥(STATE_KEY_EXCHANGE)。
  • 请求连接(KEXDH_GEX_REQUEST)。
  • 收到请求:关闭 TCP 连接(TCP/IP close)。
  • 得到结论:在进行秘钥交换时,服务器关闭了 TCP 连接请求。
  • 因此继续查看秘钥交换相关日志:
[本地]:SEND : KEXINIT 
[本地]:RECV : Read kexinit 
[本地]:Available Remote Kex Methods = curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 
[本地]:Selected Kex Method = diffie-hellman-group-exchange-sha1 
  • 日志中记录服务器提供了多种可用的秘钥交换算法,连接时 secureCRT 选用 diffie-hellman-group-exchange-sha1。
  • 会话选项中可选用的秘钥交换算法:
    秘钥交换算法
  • 发现连接时选用的 diffie-hellman-group-exchange 不在选用范围内。

# 尝试方法

  • 尝试将交换算法指定为服务器可用列表和本地可用列表中公共的算法 diffie-hellman-group14,重新连接后成功。

# 问题总结

  • 连接时未选用匹配的交换算法,被提前终止。