{"id":389,"date":"2026-05-08T13:40:24","date_gmt":"2026-05-08T05:40:24","guid":{"rendered":"https:\/\/zhaoyanqi.cn\/?p=389"},"modified":"2026-05-08T13:40:24","modified_gmt":"2026-05-08T05:40:24","slug":"linux-%e4%ba%91%e6%9c%8d%e5%8a%a1%e5%99%a8-ssh-%e6%97%a0%e6%b3%95%e8%ae%bf%e9%97%ae%e6%97%b6%ef%bc%8c%e9%80%9a%e8%bf%87%e6%95%91%e6%8f%b4%e6%9c%ba%e6%8c%82%e8%bd%bd%e7%b3%bb%e7%bb%9f%e7%9b%98%e4%bf%ae","status":"publish","type":"post","link":"https:\/\/zhaoyanqi.cn\/?p=389","title":{"rendered":"Linux \u4e91\u670d\u52a1\u5668 SSH \u65e0\u6cd5\u8bbf\u95ee\u65f6\uff0c\u901a\u8fc7\u6551\u63f4\u673a\u6302\u8f7d\u7cfb\u7edf\u76d8\u4fee\u590d \/run\/sshd \u6559\u7a0b"},"content":{"rendered":"\n

\u4e00\u3001\u9002\u7528\u573a\u666f<\/p>\n\n\n\n

\u672c\u6587\u9002\u7528\u4e8e\u4ee5\u4e0b\u573a\u666f\uff1a<\/p>\n\n\n\n

Linux \u4e91\u670d\u52a1\u5668\u65e0\u6cd5\u901a\u8fc7 SSH \u767b\u5f55\nSSH \u7aef\u53e3\u8fde\u63a5\u5931\u8d25\u6216 Connection refused\n\u4e91\u63a7\u5236\u53f0\u65e0\u6cd5\u76f4\u63a5\u767b\u5f55\uff0c\u6216\u6ca1\u6709\u7cfb\u7edf\u5bc6\u7801\n\u7cfb\u7edf\u76d8\u53ef\u4ee5\u4ece\u6545\u969c\u670d\u52a1\u5668\u5378\u8f7d\u5e76\u6302\u8f7d\u5230\u6551\u63f4\u673a\n\u7cfb\u7edf\u4e3a Ubuntu \/ Debian \u7cfb\u5217\nSSH \u670d\u52a1\u4e3a ssh \/ sshd<\/code><\/pre>\n\n\n\n
\u5e38\u89c1\u6545\u969c\u8868\u73b0\uff1a<\/p>\n\n\n\n
nc -vz <\u76ee\u6807\u670d\u52a1\u5668IP> <SSH\u7aef\u53e3><\/code><\/pre>\n\n\n\n
\u8fd4\u56de\uff1a<\/p>\n\n\n\n
Connection refused<\/code><\/pre>\n\n\n\n
\u8bf4\u660e\u7f51\u7edc\u80fd\u5230\u8fbe\u76ee\u6807\u670d\u52a1\u5668\uff0c\u4f46\u76ee\u6807\u7aef\u53e3\u6ca1\u6709\u670d\u52a1\u76d1\u542c\u3002<\/p>\n\n\n\n
\u5982\u679c\u68c0\u67e5 sshd \u914d\u7f6e\u65f6\u62a5\u9519\uff1a<\/p>\n\n\n\n
sudo chroot \/mnt\/rescue sshd -t<\/code><\/pre>\n\n\n\n
\u8fd4\u56de\uff1a<\/p>\n\n\n\n
Missing privilege separation directory: \/run\/sshd<\/code><\/pre>\n\n\n\n
\u8bf4\u660e sshd<\/code> \u542f\u52a8\u4f9d\u8d56\u7684 \/run\/sshd<\/code> \u76ee\u5f55\u4e0d\u5b58\u5728\uff0c\u53ef\u80fd\u5bfc\u81f4 SSH \u670d\u52a1\u65e0\u6cd5\u6b63\u5e38\u542f\u52a8\u3002<\/p>\n\n\n\n
\n\n\n\n
\u4e8c\u3001\u5904\u7406\u601d\u8def<\/h2>\n\n\n\n
\u6574\u4f53\u6d41\u7a0b\u5982\u4e0b\uff1a<\/p>\n\n\n\n
1. \u7ed9\u6545\u969c\u670d\u52a1\u5668\u521b\u5efa\u5feb\u7167\u6216\u955c\u50cf\u5907\u4efd\n2. \u505c\u6b62\u6545\u969c\u670d\u52a1\u5668\n3. \u5378\u8f7d\u6545\u969c\u670d\u52a1\u5668\u7cfb\u7edf\u76d8\n4. \u5c06\u7cfb\u7edf\u76d8\u6302\u8f7d\u5230\u4e00\u53f0\u6b63\u5e38\u6551\u63f4\u673a\n5. \u5728\u6551\u63f4\u673a\u4e0a\u6302\u8f7d\u6545\u969c\u7cfb\u7edf\u76d8\n6. \u68c0\u67e5 SSH \u914d\u7f6e\n7. \u4fee\u590d \/run\/sshd \u7f3a\u5931\u95ee\u9898\n8. \u589e\u52a0 systemd \u548c tmpfiles \u515c\u5e95\u914d\u7f6e\n9. \u542f\u7528 SSH \u670d\u52a1\n10. \u5378\u8f7d\u7cfb\u7edf\u76d8\n11. \u6302\u56de\u539f\u670d\u52a1\u5668\n12. \u542f\u52a8\u539f\u670d\u52a1\u5668\u5e76\u9a8c\u8bc1 SSH<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u4e09\u3001\u4e91\u5e73\u53f0\u63a7\u5236\u53f0\u64cd\u4f5c<\/h2>\n\n\n\n
\u4e0d\u540c\u4e91\u5382\u5546\u754c\u9762\u540d\u79f0\u7565\u6709\u5dee\u5f02\uff0c\u4f8b\u5982 AWS\u3001\u817e\u8baf\u4e91\u3001\u963f\u91cc\u4e91\u3001\u534e\u4e3a\u4e91\uff0c\u4f46\u601d\u8def\u4e00\u81f4\u3002<\/p>\n\n\n\n
1. \u521b\u5efa\u5907\u4efd<\/h3>\n\n\n\n
\u64cd\u4f5c\u7cfb\u7edf\u76d8\u524d\uff0c\u5efa\u8bae\u5148\u505a\u5feb\u7167\u6216\u955c\u50cf\u3002<\/p>\n\n\n\n
\u901a\u7528\u64cd\u4f5c\u8def\u5f84\uff1a<\/p>\n\n\n\n
\u4e91\u670d\u52a1\u5668\u63a7\u5236\u53f0 \u2192 \u9009\u62e9\u6545\u969c\u5b9e\u4f8b \u2192 \u7cfb\u7edf\u76d8 \/ \u4e91\u786c\u76d8 \u2192 \u521b\u5efa\u5feb\u7167<\/code><\/pre>\n\n\n\n
\u6216\u8005\uff1a<\/p>\n\n\n\n
\u4e91\u670d\u52a1\u5668\u63a7\u5236\u53f0 \u2192 \u9009\u62e9\u6545\u969c\u5b9e\u4f8b \u2192 \u521b\u5efa\u955c\u50cf<\/code><\/pre>\n\n\n\n
\u5efa\u8bae\u547d\u540d\u683c\u5f0f\uff1a<\/p>\n\n\n\n
<\u670d\u52a1\u5668\u540d\u79f0>-before-ssh-fix-YYYYMMDD<\/code><\/pre>\n\n\n\n
\u4f8b\u5982\uff1a<\/p>\n\n\n\n
app-prod-01-before-ssh-fix-20260508<\/code><\/pre>\n\n\n\n
\n\n\n\n
2. \u505c\u6b62\u6545\u969c\u670d\u52a1\u5668<\/h3>\n\n\n\n
\u6ce8\u610f\u662f \u505c\u6b62 \/ Stop<\/strong>\uff0c\u4e0d\u662f \u9500\u6bc1 \/ Terminate \/ Delete<\/strong>\u3002<\/p>\n\n\n\n
\u4e91\u670d\u52a1\u5668\u63a7\u5236\u53f0 \u2192 \u9009\u62e9\u6545\u969c\u5b9e\u4f8b \u2192 \u505c\u6b62\u5b9e\u4f8b<\/code><\/pre>\n\n\n\n
\u7b49\u5f85\u5b9e\u4f8b\u72b6\u6001\u53d8\u4e3a\uff1a<\/p>\n\n\n\n
Stopped \/ \u5df2\u505c\u6b62<\/code><\/pre>\n\n\n\n
\n\n\n\n
3. \u5378\u8f7d\u7cfb\u7edf\u76d8<\/h3>\n\n\n\n
\u5728\u6545\u969c\u5b9e\u4f8b\u8be6\u60c5\u4e2d\u8bb0\u5f55\u4ee5\u4e0b\u4fe1\u606f\uff1a<\/p>\n\n\n\n
\u5b9e\u4f8b ID\n\u7cfb\u7edf\u76d8 ID\n\u7cfb\u7edf\u76d8\u539f\u6302\u8f7d\u8bbe\u5907\u540d\n\u53ef\u7528\u533a \/ Availability Zone<\/code><\/pre>\n\n\n\n
\u7136\u540e\u5378\u8f7d\u7cfb\u7edf\u76d8\uff1a<\/p>\n\n\n\n
\u4e91\u786c\u76d8 \/ Volumes \u2192 \u9009\u62e9\u6545\u969c\u670d\u52a1\u5668\u7cfb\u7edf\u76d8 \u2192 \u5378\u8f7d<\/code><\/pre>\n\n\n\n
\n\n\n\n
4. \u6302\u8f7d\u7cfb\u7edf\u76d8\u5230\u6551\u63f4\u673a<\/h3>\n\n\n\n
\u6551\u63f4\u673a\u8981\u6c42\uff1a<\/p>\n\n\n\n
\u4e0e\u6545\u969c\u670d\u52a1\u5668\u5728\u540c\u4e00\u4e2a\u53ef\u7528\u533a\n\u7cfb\u7edf\u6b63\u5e38\n\u53ef\u4ee5 SSH \u767b\u5f55\n\u5efa\u8bae\u4f7f\u7528\u540c\u7c7b Linux \u7cfb\u7edf\uff0c\u4f8b\u5982 Ubuntu<\/code><\/pre>\n\n\n\n
\u5c06\u6545\u969c\u7cfb\u7edf\u76d8\u6302\u8f7d\u5230\u6551\u63f4\u673a\u3002<\/p>\n\n\n\n
\u8bbe\u5907\u540d\u53ef\u4ee5\u4f7f\u7528\u7c7b\u4f3c\uff1a<\/p>\n\n\n\n
\/dev\/sdf\n\/dev\/vdb<\/code><\/pre>\n\n\n\n
\u5728\u90e8\u5206\u4e91\u5e73\u53f0\u6216 Nitro \u67b6\u6784\u5b9e\u4f8b\u4e2d\uff0c\u8fdb\u5165\u7cfb\u7edf\u540e\u53ef\u80fd\u663e\u793a\u4e3a\uff1a<\/p>\n\n\n\n
\/dev\/nvme1n1<\/code><\/pre>\n\n\n\n
\u8fd9\u662f\u6b63\u5e38\u73b0\u8c61\u3002<\/p>\n\n\n\n
\n\n\n\n
\u56db\u3001\u6551\u63f4\u673a\u4e0a\u6302\u8f7d\u6545\u969c\u7cfb\u7edf\u76d8<\/h2>\n\n\n\n
SSH \u767b\u5f55\u6551\u63f4\u673a\u540e\uff0c\u67e5\u770b\u78c1\u76d8\uff1a<\/p>\n\n\n\n
lsblk<\/code><\/pre>\n\n\n\n
\u518d\u67e5\u770b\u6587\u4ef6\u7cfb\u7edf\uff1a<\/p>\n\n\n\n
lsblk -f<\/code><\/pre>\n\n\n\n
\u4e00\u822c\u53ef\u4ee5\u770b\u5230\u7c7b\u4f3c\uff1a<\/p>\n\n\n\n
nvme0n1       \u6551\u63f4\u673a\u81ea\u5df1\u7684\u7cfb\u7edf\u76d8\nnvme1n1       \u6302\u8f7d\u8fc7\u6765\u7684\u6545\u969c\u7cfb\u7edf\u76d8\n\u2514\u2500nvme1n1p1   \u6545\u969c\u7cfb\u7edf\u76d8\u5206\u533a<\/code><\/pre>\n\n\n\n
\u521b\u5efa\u6302\u8f7d\u76ee\u5f55\uff1a<\/p>\n\n\n\n
sudo mkdir -p \/mnt\/rescue<\/code><\/pre>\n\n\n\n
\u6302\u8f7d\u6545\u969c\u7cfb\u7edf\u76d8\u5206\u533a\uff1a<\/p>\n\n\n\n
sudo mount <\u6545\u969c\u76d8\u5206\u533a> \/mnt\/rescue<\/code><\/pre>\n\n\n\n
\u793a\u4f8b\uff1a<\/p>\n\n\n\n
sudo mount \/dev\/nvme1n1p1 \/mnt\/rescue<\/code><\/pre>\n\n\n\n
\u5982\u679c\u4e0d\u662f nvme1n1p1<\/code>\uff0c\u9700\u8981\u6839\u636e lsblk -f<\/code> \u7684\u7ed3\u679c\u9009\u62e9\u6b63\u786e\u5206\u533a\u3002<\/p>\n\n\n\n
\u786e\u8ba4\u6302\u8f7d\u6210\u529f\uff1a<\/p>\n\n\n\n
ls \/mnt\/rescue<\/code><\/pre>\n\n\n\n
\u6b63\u5e38\u5e94\u8be5\u80fd\u770b\u5230\u7c7b\u4f3c\u76ee\u5f55\uff1a<\/p>\n\n\n\n
bin  boot  dev  etc  home  lib  opt  proc  root  run  usr  var<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u4e94\u3001\u68c0\u67e5 SSH \u914d\u7f6e<\/h2>\n\n\n\n
1. \u68c0\u67e5\u4e3b\u914d\u7f6e\u6587\u4ef6<\/h3>\n\n\n\n
sudo grep -nE '^(Port|ListenAddress|PubkeyAuthentication|PasswordAuthentication|UsePAM)' \/mnt\/rescue\/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
\u91cd\u70b9\u5173\u6ce8\uff1a<\/p>\n\n\n\n
Port <SSH\u7aef\u53e3>\nPubkeyAuthentication\nPasswordAuthentication\nUsePAM<\/code><\/pre>\n\n\n\n
\u4f8b\u5982\uff1a<\/p>\n\n\n\n
Port 22<\/code><\/pre>\n\n\n\n
\u6216\u8005\uff1a<\/p>\n\n\n\n
Port 2222<\/code><\/pre>\n\n\n\n
\u5982\u679c\u670d\u52a1\u5668\u4f7f\u7528\u4e86\u975e\u6807\u51c6\u7aef\u53e3\uff0c\u8981\u786e\u8ba4\u8fd9\u91cc\u914d\u7f6e\u7684\u662f\u5b9e\u9645 SSH \u767b\u5f55\u7aef\u53e3\u3002<\/p>\n\n\n\n
\n\n\n\n
2. \u68c0\u67e5 sshd_config.d \u8986\u76d6\u914d\u7f6e<\/h3>\n\n\n\n
Ubuntu \u4e91\u955c\u50cf\u7ecf\u5e38\u4f1a\u5728\u4e0b\u9762\u76ee\u5f55\u653e\u989d\u5916\u914d\u7f6e\uff1a<\/p>\n\n\n\n
sudo ls -l \/mnt\/rescue\/etc\/ssh\/sshd_config.d\/<\/code><\/pre>\n\n\n\n
\u7ee7\u7eed\u68c0\u67e5\u662f\u5426\u6709\u8986\u76d6\u914d\u7f6e\uff1a<\/p>\n\n\n\n
sudo grep -RniE '^(Port|ListenAddress|PubkeyAuthentication|PasswordAuthentication|DenyUsers|AllowUsers|AllowGroups|MaxStartups)' \/mnt\/rescue\/etc\/ssh\/sshd_config.d\/ 2>\/dev\/null<\/code><\/pre>\n\n\n\n
\u5982\u679c\u770b\u5230\uff1a<\/p>\n\n\n\n
PasswordAuthentication no<\/code><\/pre>\n\n\n\n
\u4e00\u822c\u8868\u793a\u7981\u6b62 SSH \u5bc6\u7801\u767b\u5f55\uff0c\u53ea\u5141\u8bb8\u5bc6\u94a5\u767b\u5f55\u3002
\u8fd9\u901a\u5e38\u662f\u4e91\u670d\u52a1\u5668\u9ed8\u8ba4\u5b89\u5168\u914d\u7f6e\uff0c\u4e0d\u4e00\u5b9a\u662f\u95ee\u9898\u3002<\/p>\n\n\n\n
\n\n\n\n
\u516d\u3001\u8fdb\u5165 chroot \u68c0\u67e5 sshd<\/h2>\n\n\n\n
\u6302\u8f7d chroot \u6240\u9700\u76ee\u5f55\uff1a<\/p>\n\n\n\n
sudo mount --bind \/dev \/mnt\/rescue\/dev\nsudo mount --bind \/proc \/mnt\/rescue\/proc\nsudo mount --bind \/sys \/mnt\/rescue\/sys<\/code><\/pre>\n\n\n\n
\u68c0\u67e5 sshd \u914d\u7f6e\uff1a<\/p>\n\n\n\n
sudo chroot \/mnt\/rescue sshd -t\necho $?<\/code><\/pre>\n\n\n\n
\u5982\u679c\u6b63\u5e38\uff0c\u901a\u5e38\u6ca1\u6709\u8f93\u51fa\uff0c\u5e76\u8fd4\u56de\uff1a<\/p>\n\n\n\n
0<\/code><\/pre>\n\n\n\n
\u5982\u679c\u8fd4\u56de\uff1a<\/p>\n\n\n\n
Missing privilege separation directory: \/run\/sshd<\/code><\/pre>\n\n\n\n
\u8bf4\u660e \/run\/sshd<\/code> \u7f3a\u5931\uff0c\u9700\u8981\u7ee7\u7eed\u4fee\u590d\u3002<\/p>\n\n\n\n
\n\n\n\n
\u4e03\u3001\u4fee\u590d \/run\/sshd<\/code> \u7f3a\u5931\u95ee\u9898<\/h2>\n\n\n\n
1. \u4e34\u65f6\u521b\u5efa \/run\/sshd<\/code><\/h3>\n\n\n\n
sudo mkdir -p \/mnt\/rescue\/run\/sshd\nsudo chmod 755 \/mnt\/rescue\/run\/sshd<\/code><\/pre>\n\n\n\n
\u518d\u6b21\u68c0\u67e5\uff1a<\/p>\n\n\n\n
sudo chroot \/mnt\/rescue sshd -t\necho $?<\/code><\/pre>\n\n\n\n
\u671f\u671b\u8fd4\u56de\uff1a<\/p>\n\n\n\n
0<\/code><\/pre>\n\n\n\n
\n\n\n\n
2. \u589e\u52a0 systemd \u542f\u52a8\u515c\u5e95\u914d\u7f6e<\/h3>\n\n\n\n
\u56e0\u4e3a \/run<\/code> \u662f\u4e34\u65f6\u76ee\u5f55\uff0c\u7cfb\u7edf\u91cd\u542f\u540e \/run\/sshd<\/code> \u4e0d\u4f1a\u6c38\u4e45\u4fdd\u7559\uff0c\u6240\u4ee5\u9700\u8981\u8ba9 systemd \u6bcf\u6b21\u542f\u52a8 SSH \u670d\u52a1\u524d\u81ea\u52a8\u521b\u5efa\u8be5\u76ee\u5f55\u3002<\/p>\n\n\n\n
\u521b\u5efa override \u76ee\u5f55\uff1a<\/p>\n\n\n\n
sudo mkdir -p \/mnt\/rescue\/etc\/systemd\/system\/ssh.service.d<\/code><\/pre>\n\n\n\n
\u5199\u5165\u914d\u7f6e\uff1a<\/p>\n\n\n\n
sudo tee \/mnt\/rescue\/etc\/systemd\/system\/ssh.service.d\/override.conf >\/dev\/null <<'EOF'\n[Service]\nRuntimeDirectory=sshd\nRuntimeDirectoryMode=0755\nEOF<\/code><\/pre>\n\n\n\n
\u4f5c\u7528\uff1a<\/p>\n\n\n\n
\u542f\u52a8 ssh \u670d\u52a1\u524d\u81ea\u52a8\u521b\u5efa \/run\/sshd\n\u76ee\u5f55\u6743\u9650\u4e3a 0755<\/code><\/pre>\n\n\n\n
\n\n\n\n
3. \u589e\u52a0 tmpfiles \u515c\u5e95\u914d\u7f6e<\/h3>\n\n\n\n
\u521b\u5efa tmpfiles \u914d\u7f6e\u76ee\u5f55\uff1a<\/p>\n\n\n\n
sudo mkdir -p \/mnt\/rescue\/etc\/tmpfiles.d<\/code><\/pre>\n\n\n\n
\u5199\u5165\u914d\u7f6e\uff1a<\/p>\n\n\n\n
echo 'd \/run\/sshd 0755 root root -' | sudo tee \/mnt\/rescue\/etc\/tmpfiles.d\/sshd.conf<\/code><\/pre>\n\n\n\n
\u4f5c\u7528\uff1a<\/p>\n\n\n\n
\u7cfb\u7edf\u542f\u52a8\u65f6\u901a\u8fc7 systemd-tmpfiles \u81ea\u52a8\u521b\u5efa \/run\/sshd<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u516b\u3001\u542f\u7528 SSH \u670d\u52a1\u5e76\u6700\u7ec8\u68c0\u67e5<\/h2>\n\n\n\n
\u542f\u7528 SSH \u670d\u52a1\u5f00\u673a\u81ea\u542f\uff1a<\/p>\n\n\n\n
sudo chroot \/mnt\/rescue systemctl enable ssh<\/code><\/pre>\n\n\n\n
\u518d\u6b21\u68c0\u67e5 sshd \u914d\u7f6e\uff1a<\/p>\n\n\n\n
sudo chroot \/mnt\/rescue sshd -t\necho $?<\/code><\/pre>\n\n\n\n
\u671f\u671b\u8fd4\u56de\uff1a<\/p>\n\n\n\n
0<\/code><\/pre>\n\n\n\n
\u5982\u679c\u8fd4\u56de 0<\/code>\uff0c\u8bf4\u660e SSH \u914d\u7f6e\u6b63\u5e38\u3002<\/p>\n\n\n\n
\n\n\n\n
\u4e5d\u3001\u5378\u8f7d\u6545\u969c\u7cfb\u7edf\u76d8<\/h2>\n\n\n\n
\u5148\u5207\u6362\u5230\u6839\u76ee\u5f55\uff0c\u907f\u514d\u6302\u8f7d\u76ee\u5f55\u88ab\u5360\u7528\uff1a<\/p>\n\n\n\n
cd \/<\/code><\/pre>\n\n\n\n
\u5378\u8f7d\u6240\u6709\u6302\u8f7d\uff1a<\/p>\n\n\n\n
sudo umount -R \/mnt\/rescue<\/code><\/pre>\n\n\n\n
\u786e\u8ba4\u6ca1\u6709\u6302\u8f7d\u6b8b\u7559\uff1a<\/p>\n\n\n\n
lsblk<\/code><\/pre>\n\n\n\n
\u5982\u679c\u63d0\u793a busy\uff0c\u53ef\u4ee5\u68c0\u67e5\u662f\u5426\u8fd8\u6709\u8fdb\u7a0b\u5360\u7528\uff1a<\/p>\n\n\n\n
sudo lsof +f -- \/mnt\/rescue<\/code><\/pre>\n\n\n\n
\u6216\u91cd\u65b0\u6267\u884c\uff1a<\/p>\n\n\n\n
cd \/\nsudo umount -R \/mnt\/rescue<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u5341\u3001\u6302\u56de\u539f\u670d\u52a1\u5668<\/h2>\n\n\n\n
\u5728\u4e91\u5e73\u53f0\u63a7\u5236\u53f0\u4e2d\u64cd\u4f5c\uff1a<\/p>\n\n\n\n
\u4e91\u786c\u76d8 \/ Volumes \u2192 \u9009\u62e9\u6545\u969c\u7cfb\u7edf\u76d8 \u2192 \u4ece\u6551\u63f4\u673a\u5378\u8f7d<\/code><\/pre>\n\n\n\n
\u7b49\u5f85\u78c1\u76d8\u72b6\u6001\u53d8\u4e3a\u7a7a\u95f2\u6216\u53ef\u6302\u8f7d\u3002<\/p>\n\n\n\n
\u7136\u540e\u6302\u56de\u539f\u670d\u52a1\u5668\uff1a<\/p>\n\n\n\n
\u4e91\u786c\u76d8 \/ Volumes \u2192 \u9009\u62e9\u6545\u969c\u7cfb\u7edf\u76d8 \u2192 \u6302\u8f7d\u5230\u539f\u670d\u52a1\u5668<\/code><\/pre>\n\n\n\n
\u6ce8\u610f\uff1a<\/p>\n\n\n\n
\u8bbe\u5907\u540d\u5fc5\u987b\u4f7f\u7528\u539f\u6765\u7684\u7cfb\u7edf\u76d8\u8bbe\u5907\u540d<\/code><\/pre>\n\n\n\n
\u5e38\u89c1\u8bbe\u5907\u540d\uff1a<\/p>\n\n\n\n
\/dev\/sda1\n\/dev\/xvda\n\/dev\/vda<\/code><\/pre>\n\n\n\n
\u5177\u4f53\u4ee5\u4e91\u5e73\u53f0\u539f\u5b9e\u4f8b\u8be6\u60c5\u4e2d\u8bb0\u5f55\u7684 Root device name \u4e3a\u51c6\u3002<\/p>\n\n\n\n
\n\n\n\n
\u5341\u4e00\u3001\u542f\u52a8\u539f\u670d\u52a1\u5668\u5e76\u9a8c\u8bc1<\/h2>\n\n\n\n
\u542f\u52a8\u539f\u670d\u52a1\u5668\uff1a<\/p>\n\n\n\n
\u4e91\u670d\u52a1\u5668\u63a7\u5236\u53f0 \u2192 \u9009\u62e9\u539f\u5b9e\u4f8b \u2192 \u542f\u52a8\u5b9e\u4f8b<\/code><\/pre>\n\n\n\n
\u542f\u52a8\u5b8c\u6210\u540e\uff0c\u5728\u8df3\u677f\u673a\u6216\u540c\u7f51\u7edc\u670d\u52a1\u5668\u4e0a\u6d4b\u8bd5 SSH \u7aef\u53e3\uff1a<\/p>\n\n\n\n
nc -vz <\u76ee\u6807\u670d\u52a1\u5668IP> <SSH\u7aef\u53e3><\/code><\/pre>\n\n\n\n
\u6b63\u5e38\u7ed3\u679c\uff1a<\/p>\n\n\n\n
Connection to <\u76ee\u6807\u670d\u52a1\u5668IP> <SSH\u7aef\u53e3> port [tcp\/*] succeeded!<\/code><\/pre>\n\n\n\n
\u6d4b\u8bd5 SSH \u767b\u5f55\uff1a<\/p>\n\n\n\n
chmod 400 <\u5bc6\u94a5\u6587\u4ef6>\nssh -i <\u5bc6\u94a5\u6587\u4ef6> -p <SSH\u7aef\u53e3> <\u7528\u6237\u540d>@<\u76ee\u6807\u670d\u52a1\u5668IP><\/code><\/pre>\n\n\n\n
\u793a\u4f8b\uff1a<\/p>\n\n\n\n
chmod 400 \/tmp\/server.pem\nssh -i \/tmp\/server.pem -p 22 ubuntu@<\u76ee\u6807\u670d\u52a1\u5668IP><\/code><\/pre>\n\n\n\n
\u5982\u679c\u4f7f\u7528\u975e\u6807\u51c6\u7aef\u53e3\uff1a<\/p>\n\n\n\n
ssh -i \/tmp\/server.pem -p <SSH\u7aef\u53e3> ubuntu@<\u76ee\u6807\u670d\u52a1\u5668IP><\/code><\/pre>\n\n\n\n
\u767b\u5f55\u6210\u529f\u540e\uff0c\u68c0\u67e5 SSH \u670d\u52a1\u72b6\u6001\uff1a<\/p>\n\n\n\n
sudo systemctl status ssh<\/code><\/pre>\n\n\n\n
\u68c0\u67e5\u76d1\u542c\u7aef\u53e3\uff1a<\/p>\n\n\n\n
sudo ss -lntp | grep <SSH\u7aef\u53e3><\/code><\/pre>\n\n\n\n
\u68c0\u67e5 sshd \u914d\u7f6e\uff1a<\/p>\n\n\n\n
sudo sshd -t\necho $?<\/code><\/pre>\n\n\n\n
\u671f\u671b\u8fd4\u56de\uff1a<\/p>\n\n\n\n
0<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u5341\u4e8c\u3001\u6062\u590d\u540e\u5efa\u8bae\u52a0\u56fa<\/h2>\n\n\n\n
1. \u8bbe\u7f6e VNC \/ \u63a7\u5236\u53f0\u5907\u7528\u767b\u5f55\u5bc6\u7801<\/h3>\n\n\n\n
\u4e3a\u4e86\u907f\u514d\u4e0b\u6b21 SSH \u5f02\u5e38\u65f6\u5b8c\u5168\u65e0\u6cd5\u8fdb\u5165\u7cfb\u7edf\uff0c\u5efa\u8bae\u7ed9\u666e\u901a\u8fd0\u7ef4\u7528\u6237\u8bbe\u7f6e\u7cfb\u7edf\u5bc6\u7801\u3002<\/p>\n\n\n\n
\u4f8b\u5982 Ubuntu \u9ed8\u8ba4\u7528\u6237\uff1a<\/p>\n\n\n\n
sudo passwd ubuntu<\/code><\/pre>\n\n\n\n
\u68c0\u67e5\u7528\u6237\u72b6\u6001\uff1a<\/p>\n\n\n\n
sudo passwd -S ubuntu<\/code><\/pre>\n\n\n\n
\u5982\u679c\u770b\u5230\u7c7b\u4f3c\uff1a<\/p>\n\n\n\n
ubuntu P ...<\/code><\/pre>\n\n\n\n
\u8bf4\u660e\u5bc6\u7801\u53ef\u7528\u3002<\/p>\n\n\n\n
\u4ee5\u540e\u901a\u8fc7\u4e91\u63a7\u5236\u53f0 VNC \u767b\u5f55\uff1a<\/p>\n\n\n\n
login: ubuntu\nPassword: \u8f93\u5165\u8bbe\u7f6e\u7684\u7cfb\u7edf\u5bc6\u7801<\/code><\/pre>\n\n\n\n
\u767b\u5f55\u540e\u63d0\u6743\uff1a<\/p>\n\n\n\n
sudo -i<\/code><\/pre>\n\n\n\n
\u6ce8\u610f\uff1a\u8fd9\u4e0d\u7b49\u4e8e\u5f00\u542f SSH \u5bc6\u7801\u767b\u5f55\u3002
SSH \u4ecd\u7136\u53ef\u4ee5\u4fdd\u6301\u5bc6\u94a5\u767b\u5f55\u3002<\/p>\n\n\n\n
\n\n\n\n
2. \u4e0d\u5efa\u8bae\u957f\u671f\u5f00\u542f root SSH \u5bc6\u7801\u767b\u5f55<\/h3>\n\n\n\n
\u5982\u679c\u53ea\u662f\u4e3a\u4e86 VNC \u515c\u5e95\uff0c\u5efa\u8bae\u8bbe\u7f6e\u666e\u901a\u7528\u6237\u5bc6\u7801\uff0c\u4e0d\u5efa\u8bae\u5f00\u542f root SSH \u5bc6\u7801\u767b\u5f55\u3002<\/p>\n\n\n\n
SSH \u63a8\u8350\u914d\u7f6e\uff1a<\/p>\n\n\n\n
PasswordAuthentication no\nPermitRootLogin prohibit-password\nPubkeyAuthentication yes<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u5341\u4e09\u3001\u6545\u969c\u539f\u56e0\u8bf4\u660e<\/h2>\n\n\n\n
\/run<\/code> \u662f\u8fd0\u884c\u65f6\u4e34\u65f6\u76ee\u5f55\uff0c\u901a\u5e38\u7531 tmpfs \u63d0\u4f9b\uff1a<\/p>\n\n\n\n
mount | grep ' \/run '<\/code><\/pre>\n\n\n\n
\u6b63\u5e38\u60c5\u51b5\u4e0b\uff1a<\/p>\n\n\n\n
\/run \u76ee\u5f55\u4f1a\u5728\u7cfb\u7edf\u542f\u52a8\u540e\u751f\u6210\n\/run\/sshd \u4e0d\u4f1a\u6c38\u4e45\u4fdd\u5b58\u5728\u78c1\u76d8\u4e0a\nSSH \u670d\u52a1\u542f\u52a8\u65f6\u9700\u8981 \/run\/sshd\n\u6b63\u5e38\u5e94\u7531 systemd \u6216 systemd-tmpfiles \u81ea\u52a8\u521b\u5efa<\/code><\/pre>\n\n\n\n
\u5982\u679c\u7cfb\u7edf\u542f\u52a8\u65f6\u6ca1\u6709\u6b63\u786e\u521b\u5efa \/run\/sshd<\/code>\uff0csshd \u53ef\u80fd\u542f\u52a8\u5931\u8d25\uff0c\u6700\u7ec8\u5bfc\u81f4 SSH \u7aef\u53e3\u6ca1\u6709\u76d1\u542c\u3002<\/p>\n\n\n\n
\u5178\u578b\u8868\u73b0\uff1a<\/p>\n\n\n\n
SSH \u7aef\u53e3 Connection refused\nsshd -t \u62a5 Missing privilege separation directory: \/run\/sshd<\/code><\/pre>\n\n\n\n
\u6700\u7ec8\u4fee\u590d\u65b9\u5f0f\uff1a<\/p>\n\n\n\n
\u4e34\u65f6\u521b\u5efa \/run\/sshd\n\u589e\u52a0 systemd RuntimeDirectory=sshd\n\u589e\u52a0 tmpfiles \u515c\u5e95\u914d\u7f6e\n\u542f\u7528 ssh \u670d\u52a1\n\u91cd\u65b0\u6302\u56de\u7cfb\u7edf\u76d8\u5e76\u542f\u52a8\u670d\u52a1\u5668<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u5341\u56db\u3001\u5b8c\u6574\u547d\u4ee4\u6c47\u603b<\/h2>\n\n\n\n
# 1. \u67e5\u770b\u78c1\u76d8\nlsblk\nlsblk -f\n\n# 2. \u521b\u5efa\u6302\u8f7d\u76ee\u5f55\nsudo mkdir -p \/mnt\/rescue\n\n# 3. \u6302\u8f7d\u6545\u969c\u7cfb\u7edf\u76d8\nsudo mount <\u6545\u969c\u76d8\u5206\u533a> \/mnt\/rescue\n# \u793a\u4f8b\uff1a\n# sudo mount \/dev\/nvme1n1p1 \/mnt\/rescue\n\n# 4. \u68c0\u67e5 ssh \u4e3b\u914d\u7f6e\nsudo grep -nE '^(Port|ListenAddress|PubkeyAuthentication|PasswordAuthentication|UsePAM)' \/mnt\/rescue\/etc\/ssh\/sshd_config\n\n# 5. \u68c0\u67e5 sshd_config.d \u8986\u76d6\u914d\u7f6e\nsudo ls -l \/mnt\/rescue\/etc\/ssh\/sshd_config.d\/\nsudo grep -RniE '^(Port|ListenAddress|PubkeyAuthentication|PasswordAuthentication|DenyUsers|AllowUsers|AllowGroups|MaxStartups)' \/mnt\/rescue\/etc\/ssh\/sshd_config.d\/ 2>\/dev\/null\n\n# 6. \u51c6\u5907 chroot \u73af\u5883\nsudo mount --bind \/dev \/mnt\/rescue\/dev\nsudo mount --bind \/proc \/mnt\/rescue\/proc\nsudo mount --bind \/sys \/mnt\/rescue\/sys\n\n# 7. \u68c0\u67e5 sshd \u914d\u7f6e\nsudo chroot \/mnt\/rescue sshd -t\necho $?\n\n# 8. \u5982\u679c\u62a5 Missing privilege separation directory: \/run\/sshd\uff0c\u5219\u521b\u5efa\u76ee\u5f55\nsudo mkdir -p \/mnt\/rescue\/run\/sshd\nsudo chmod 755 \/mnt\/rescue\/run\/sshd\n\n# 9. \u518d\u6b21\u68c0\u67e5 sshd\nsudo chroot \/mnt\/rescue sshd -t\necho $?\n\n# 10. \u589e\u52a0 systemd override\nsudo mkdir -p \/mnt\/rescue\/etc\/systemd\/system\/ssh.service.d\n\nsudo tee \/mnt\/rescue\/etc\/systemd\/system\/ssh.service.d\/override.conf >\/dev\/null <<'EOF'\n[Service]\nRuntimeDirectory=sshd\nRuntimeDirectoryMode=0755\nEOF\n\n# 11. \u589e\u52a0 tmpfiles \u515c\u5e95\u914d\u7f6e\nsudo mkdir -p \/mnt\/rescue\/etc\/tmpfiles.d\n\necho 'd \/run\/sshd 0755 root root -' | sudo tee \/mnt\/rescue\/etc\/tmpfiles.d\/sshd.conf\n\n# 12. \u542f\u7528 ssh \u670d\u52a1\nsudo chroot \/mnt\/rescue systemctl enable ssh\n\n# 13. \u6700\u7ec8\u68c0\u67e5\nsudo chroot \/mnt\/rescue sshd -t\necho $?\n\n# 14. \u5378\u8f7d\u6545\u969c\u7cfb\u7edf\u76d8\ncd \/\nsudo umount -R \/mnt\/rescue\n\n# 15. \u6302\u56de\u539f\u670d\u52a1\u5668\u540e\u9a8c\u8bc1\nnc -vz <\u76ee\u6807\u670d\u52a1\u5668IP> <SSH\u7aef\u53e3>\nssh -i <\u5bc6\u94a5\u6587\u4ef6> -p <SSH\u7aef\u53e3> <\u7528\u6237\u540d>@<\u76ee\u6807\u670d\u52a1\u5668IP><\/code><\/pre>\n\n\n\n
\n\n\n\n
\u5341\u4e94\u3001\u6ce8\u610f\u4e8b\u9879<\/h2>\n\n\n\n
    \n
  1. \u64cd\u4f5c\u7cfb\u7edf\u76d8\u524d\u5fc5\u987b\u5148\u505a\u5feb\u7167\u6216\u955c\u50cf\u5907\u4efd\u3002<\/li>\n\n\n\n
  2. \u505c\u6b62\u5b9e\u4f8b\u65f6\u4e0d\u8981\u8bef\u70b9\u9500\u6bc1\u3001\u7ec8\u6b62\u3001\u5220\u9664\u3002<\/li>\n\n\n\n
  3. \u6551\u63f4\u673a\u5fc5\u987b\u548c\u6545\u969c\u76d8\u5728\u540c\u4e00\u4e2a\u53ef\u7528\u533a\u3002<\/li>\n\n\n\n
  4. \u6302\u56de\u539f\u670d\u52a1\u5668\u65f6\uff0c\u7cfb\u7edf\u76d8\u8bbe\u5907\u540d\u8981\u4f7f\u7528\u539f\u6765\u7684 Root device name\u3002<\/li>\n\n\n\n
  5. \/run\/sshd<\/code> \u662f\u8fd0\u884c\u65f6\u76ee\u5f55\uff0c\u4e0d\u80fd\u53ea\u4f9d\u8d56\u624b\u5de5\u521b\u5efa\uff0c\u5fc5\u987b\u589e\u52a0 systemd \u6216 tmpfiles \u515c\u5e95\u914d\u7f6e\u3002<\/li>\n\n\n\n
  6. \u4fee\u590d\u5b8c\u6210\u540e\u5efa\u8bae\u6d4b\u8bd5\u4e91\u63a7\u5236\u53f0 VNC \u767b\u5f55\uff0c\u8bbe\u7f6e\u666e\u901a\u7528\u6237\u5bc6\u7801\u4f5c\u4e3a\u4fdd\u5e95\u3002<\/li>\n\n\n\n
  7. \u4e0d\u5efa\u8bae\u957f\u671f\u5f00\u653e SSH \u5bc6\u7801\u767b\u5f55\u548c root \u5bc6\u7801\u767b\u5f55\u3002<\/li>\n<\/ol>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    \u4e00\u3001\u9002\u7528\u573a\u666f \u672c\u6587\u9002\u7528\u4e8e\u4ee5\u4e0b\u573a\u666f\uff1a \u5e38\u89c1\u6545\u969c\u8868\u73b0\uff1a \u8fd4\u56de\uff1a \u8bf4\u660e\u7f51\u7edc\u80fd\u5230\u8fbe\u76ee\u6807\u670d\u52a1\u5668\uff0c\u4f46\u76ee\u6807\u7aef\u53e3\u6ca1\u6709\u670d\u52a1\u76d1\u542c\u3002 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-389","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=\/wp\/v2\/posts\/389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=389"}],"version-history":[{"count":1,"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=\/wp\/v2\/posts\/389\/revisions"}],"predecessor-version":[{"id":390,"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=\/wp\/v2\/posts\/389\/revisions\/390"}],"wp:attachment":[{"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zhaoyanqi.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}