Shadowsocksx-ng: 操作系统升级 10.13.2 后,全局模式下 ssh 到任何地方都闪断,PAC 自动模式下正常

Created on 8 Dec 2017  ·  7Comments  ·  Source: shadowsocks/ShadowsocksX-NG

System and Shadowsocksx-NG version:

  • macOS 10.13.2
  • Shadowsocksx-NG 1.5, 1.6, 1.7

Expected behavior:
ssh to any server should work

Actual behavior:
In global mode
ssh -vvv server shows these:

OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/name/.ssh/config
debug1: /Users/name/.ssh/config line 6: Applying options for server
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to server port 1999.
debug1: Connection established.
debug1: identity file /Users/name/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/name/.ssh/id_rsa-cert type -1
debug1: identity file /Users/name/.ssh/id_dsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/name/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/name/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/name/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/name/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/name/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
ssh_exchange_identification: Connection closed by remote host

With PAC auto mode, or ShadowsocksX-NG off, ssh works fine.

Steps to reproduce:
Turn on ShadowsocksX-NG with global mode
then ssh to any site

How often does this happen?
Always

ss-local.log
2017-12-08 10:50:32 INFO: initializing ciphers... aes-256-cfb
2017-12-08 10:50:32 INFO: tcp port reuse enabled
2017-12-08 10:50:32 INFO: listening at 127.0.0.1:1086
2017-12-08 10:50:36 INFO: connect to server:1999

Application log

Most helpful comment

Me too, but with any ssh client, including on the server itself. This looks like another macOS authentication bug. Please post a bug report to Apple.

I saw this issue after upgrading to 10.13.2. I tracked down the problem to my own incompatible MAC algorithms specified in /etc/ss/sshd_config and /etc/ss/ssh_config. Specifically, the ripemd160 algorithms have been removed.

View available MACs with the command:

ssh -Q mac

All 7 comments

Me too, but with any ssh client, including on the server itself. This looks like another macOS authentication bug. Please post a bug report to Apple.

I saw this issue after upgrading to 10.13.2. I tracked down the problem to my own incompatible MAC algorithms specified in /etc/ss/sshd_config and /etc/ss/ssh_config. Specifically, the ripemd160 algorithms have been removed.

View available MACs with the command:

ssh -Q mac

My ssh -Q mac shows these:

hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Any suggestion on how to change /etc/ssh/ssh*_config files?

Any update on this issue?

Edit: 说错了,才看到你的log里已经有了

debug1: Connection established.

因此不是不可达的问题了。建议放一下server端sshd的log


10.13.2的OpenSSH似乎会自动读取系统的代理配置,而不像以前需要手动设置ssh代理参数。于是PAC模式下,OpenSSH不会尝试使用PAC;全局代理模式下,OpenSSH使用了系统全局代理。
我自己使用中,只要一打开全局代理,再启动ssh,ssh明显延迟很高

你的问题有可能是ssh试图通过你的ss服务器连接server,然而你的server对于ss服务器不可达(比如server是局域网ip)

参考:http://www.dolicapax.org/?p=243

不是终端读了代理配置,是openssh。设置全局代理后不必重启终端,只需要重新运行ssh,ssh就会走代理(这说明终端的环境变量不需要改变)。在log里,只有一处信息提到了使用代理配置,而且这个信息只在认证成功之后才输出:

image

搞明白了,不是 ss 的锅,是苹果搞了个新 feature/bug,让 ssh 用系统代理去连接。

解决办法是在 /etc/ssh/ssh_config 里加这么一条:

Host *
    ProxyCommand nc %h %p

我也这么解决的。不过我在全局代理时仍然能连接,其实还是没弄清楚为什么你的不能~

Was this page helpful?
0 / 5 - 0 ratings

Related issues

zxf8665905 picture zxf8665905  ·  5Comments

Sharnodra picture Sharnodra  ·  6Comments

likebeta picture likebeta  ·  6Comments

gonejack picture gonejack  ·  4Comments

ilovebamboo picture ilovebamboo  ·  4Comments