对连接到 Azure 中 Linux VM 时出现的问题进行详细的 SSH 故障排除的步骤Detailed SSH troubleshooting steps for issues connecting to a Linux VM in Azure

有许多可能的原因会导致 SSH 客户端无法访问 VM 上的 SSH 服务。There are many possible reasons that the SSH client might not be able to reach the SSH service on the VM. 如果已经执行了较常规的 SSH 故障排除步骤,则需要进一步排查连接问题。If you have followed through the more general SSH troubleshooting steps, you need to further troubleshoot the connection issue. 本文指导用户完成详细的故障排除步骤,以确定 SSH 连接失败的位置以及解决方法。This article guides you through detailed troubleshooting steps to determine where the SSH connection is failing and how to resolve it.

采取预备步骤Take preliminary steps

下图显示了与错误相关的组件。The following diagram shows the components that are involved.

显示 SSH 服务组件的图表

以下步骤帮助用户查明失败的原因,并得出解决方法或应对措施。The following steps help you isolate the source of the failure and figure out solutions or workarounds.

  1. 在门户中检查 VM 的状态。Check the status of the VM in the portal. Azure 门户中,选择“虚拟机” > “VM 名称”。 In the Azure portal, select Virtual machines > VM name.

    VM 的状态窗格应显示“正在运行” 。The status pane for the VM should show Running. 向下滚动以显示计算、存储和网络资源的最近活动。Scroll down to show recent activity for compute, storage, and network resources.

  2. 选择“设置”检查终结点、IP 地址、网络安全组和其他设置。 Select Settings to examine endpoints, IP addresses, network security groups, and other settings.

    VM 必须有为 SSH 流量定义的终结点,可以在“终结点”或“网络安全组”查看 SSH 流量。 The VM should have an endpoint defined for SSH traffic that you can view in Endpoints or Network security group. 将 VM 中使用资源管理器创建的终结点存储在网络安全组中。Endpoints in VMs that were created by using Resource Manager are stored in a network security group. 验证是否已对网络安全组应用这些规则,以及子网中是否引用了这些规则。Verify that the rules have been applied to the network security group and are referenced in the subnet.

若要验证网络连接性,请检查配置的终结点,并了解是否可通过其他协议(如 HTTP 或其他服务)连接到 VM。To verify network connectivity, check the configured endpoints and see if you can connect to the VM through another protocol, such as HTTP or another service.

在执行这些步骤之后,重新尝试 SSH 连接。After these steps, try the SSH connection again.

查找问题的来源Find the source of the issue

如果计算机上的 SSH 客户端无法连接到 Azure VM 上的 SSH 服务,则原因可能是以下方面存在问题或配置错误:The SSH client on your computer might fail to connect to the SSH service on the Azure VM due to issues or misconfigurations in the following areas:

来源 1:SSH 客户端计算机Source 1: SSH client computer

要将你的计算机从失败原因中排除,请验证你的计算机是否能够与其他基于 Linux 的本地计算机建立 SSH 连接。To eliminate your computer as the source of the failure, verify that it can make SSH connections to another on-premises, Linux-based computer.

突出显示 SSH 客户端计算机组件的图表

如果连接失败,请检查计算机上是否存在以下问题:If the connection fails, check for the following issues on your computer:

  • 本地防火墙设置阻止了入站或出站 SSH 流量 (TCP 22)A local firewall setting that is blocking inbound or outbound SSH traffic (TCP 22)
  • 本地安装的客户端代理软件阻止 SSH 连接Locally installed client proxy software that is preventing SSH connections
  • 本地安装的网络监视软件阻止 SSH 连接Locally installed network monitoring software that is preventing SSH connections
  • 监视流量或允许/禁止特定类型流量的其他类型的安全软件Other types of security software that either monitor traffic or allow/disallow specific types of traffic

如果存在其中一种情况,请暂时禁用相关软件,并尝试与本地计算机建立 SSH 连接,以找出计算机上阻止连接的原因。If one of these conditions apply, temporarily disable the software and try an SSH connection to an on-premises computer to find out the reason the connection is being blocked on your computer. 然后,与网络管理员合作以更正软件设置,从而允许 SSH 连接。Then work with your network administrator to correct the software settings to allow SSH connections.

如果使用的是证书身份验证,请验证你是否具有访问主目录中的 .ssh 文件夹的权限:If you are using certificate authentication, verify that you have these permissions to the .ssh folder in your home directory:

  • Chmod 700 ~/.sshChmod 700 ~/.ssh
  • Chmod 644 ~/.ssh/*.pubChmod 644 ~/.ssh/*.pub
  • Chmod 600 ~/.ssh/id_rsa(或存储私钥的其他任何文件)Chmod 600 ~/.ssh/id_rsa (or any other files that have your private keys stored in them)
  • Chmod 644 ~/.ssh/known_hosts(包含已通过 SSH 连接的主机)Chmod 644 ~/.ssh/known_hosts (contains hosts that you've connected to via SSH)

来源 2:组织边缘设备Source 2: Organization edge device

若要将组织边缘设备从失败原因中排除,请验证直接连接到 Internet 的计算机是否可以与 Azure VM 建立 SSH 连接。To eliminate your organization edge device as the source of the failure, verify that a computer directly connected to the Internet can make SSH connections to your Azure VM. 如果是通过站点到站点 VPN 或 Azure ExpressRoute 连接来访问 VM,请跳转到来源 4:网络安全组If you are accessing the VM over a site-to-site VPN or an Azure ExpressRoute connection, skip to Source 4: Network security groups.

突出显示组织边缘设备的图表

如果没有直接连接到 Internet 的计算机,请在其自己的资源组或云服务中创建新的 Azure VM,然后使用这个新的 VM。If you don't have a computer that is directly connected to the Internet, create a new Azure VM in its own resource group or cloud service and use that new VM. 有关详细信息,请参阅在 Azure 中创建运行 Linux 的虚拟机For more information, see Create a virtual machine running Linux in Azure. 测试完成后,请删除资源组或 VM 以及云服务。Delete the resource group or VM and cloud service when you're done with your testing.

如果可以创建与直接连接到 Internet 的计算机之间的 SSH 连接,则检查组织边缘设备中是否存在以下问题:If you can create an SSH connection with a computer that's directly connected to the Internet, check your organization edge device for:

  • 内部防火墙阻止了与 Internet 的 SSH 连接An internal firewall that's blocking SSH traffic with the Internet
  • 代理服务器阻止了 SSH 连接A proxy server that's preventing SSH connections
  • 边界网络中的设备上运行的入侵检测或网络监视软件阻止了 SSH 连接Intrusion detection or network monitoring software running on devices in your edge network that's preventing SSH connections

与网络管理员合作以更正组织边缘设备的设置,从而允许与 Internet 建立 SSH 流量连接。Work with your network administrator to correct the settings of your organization edge devices to allow SSH traffic with the Internet.

来源 3:云服务终结点和 ACLSource 3: Cloud service endpoint and ACL

重要

经典 VM 将于 2023 年 3 月 1 日停用。Classic VMs will be retired on March 1, 2023.

如果从 ASM 使用 IaaS 资源,请在 2023 年 3 月 1 日之前完成迁移。If you use IaaS resources from ASM, please complete your migration by March 1, 2023. 我们建议你尽快进行切换,以利用 Azure 资源管理器中的许多增强功能。We encourage you to make the switch sooner to take advantage of the many feature enhancements in Azure Resource Manager.

有关详细信息,请参阅在 2023 年 3 月 1 日之前将 IaaS 资源迁移到 Azure 资源管理器For more information, see Migrate your IaaS resources to Azure Resource Manager by March 1, 2023.

备注

此来源仅适用于使用经典部署模型创建的 VM。This source applies only to VMs that were created by using the classic deployment model. 对于使用资源管理器创建的 VM,请跳转到来源 4:网络安全组For VMs that were created by using Resource Manager, skip to source 4: Network security groups.

若要将云服务终结点和 ACL 从失败原因中排除,请验证同一虚拟网络中的其他 Azure VM 是否可以使用 SSH 进行连接。To eliminate the cloud service endpoint and ACL as the source of the failure, verify that another Azure VM in the same virtual network can connect using SSH.

突出显示云服务终结点和 ACL 的图表

如果同一虚拟网络中没有其他 VM,可以轻松创建一个 VM。If you don't have another VM in the same virtual network, you can easily create one. 有关详细信息,请参阅使用 CLI 在 Azure 上创建 Linux VMFor more information, see Create a Linux VM on Azure using the CLI. 测试完成后,删除额外的 VM。Delete the extra VM when you are done with your testing.

如果可以与同一虚拟网络中的某个 VM 建立 SSH 连接,请检查以下方面:If you can create an SSH connection with a VM in the same virtual network, check the following areas:

  • 目标 VM 上 SSH 流量的终结点配置。The endpoint configuration for SSH traffic on the target VM. 终结点的专用 TCP 端口应该与 VM 上的 SSH 服务正在侦听的 TCP 端口匹配。The private TCP port of the endpoint should match the TCP port on which the SSH service on the VM is listening. (默认端口为 22)。(The default port is 22). 请在 Azure 门户中选择“虚拟机” > “VM 名称” > “设置” > “终结点”来验证 SSH TCP 端口号。 Verify the SSH TCP port number in the Azure portal by selecting Virtual machines > VM name > Settings > Endpoints.
  • 目标虚拟机上的 SSH 流量终结点的 ACL。The ACL for the SSH traffic endpoint on the target virtual machine. ACL 允许指定基于源 IP 地址允许或拒绝的从 Internet 传入的流量。An ACL enables you to specify allowed or denied incoming traffic from the Internet, based on its source IP address. 错误配置的 ACL 可能会阻止 SSH 流量传入终结点。Misconfigured ACLs can prevent incoming SSH traffic to the endpoint. 检查 ACL 以确保允许从代理服务器或其他边缘服务器的公共 IP 地址传入的流量。Check your ACLs to ensure that incoming traffic from the public IP addresses of your proxy or other edge server is allowed. 有关详细信息,请参阅关于网络访问控制列表 (ACL)For more information, see About network access control lists (ACLs).

若要将终结点从问题原因中排除,请删除当前终结点,创建另一个终结点,然后指定 SSH 名称(公共和专用端口号为 TCP 端口 22)。To eliminate the endpoint as a source of the problem, remove the current endpoint, create another endpoint, and specify the SSH name (TCP port 22 for the public and private port number). 有关详细信息,请参阅在 Azure 中的虚拟机上设置终结点For more information, see Set up endpoints on a virtual machine in Azure.

来源 4:网络安全组Source 4: Network security groups

通过使用网络安全组,可以对允许的入站和出站流量进行更精细的控制。Network security groups enable you to have more granular control of allowed inbound and outbound traffic. 可以创建跨 Azure 虚拟网络中的子网和云服务的规则。You can create rules that span subnets and cloud services in an Azure virtual network. 检查网络安全组规则,确保允许传入和传出 Internet 的 SSH 流量。Check your network security group rules to ensure that SSH traffic to and from the Internet is allowed. 有关详细信息,请参阅关于网络安全组For more information, see About network security groups.

还可使用 IP Verify 验证 NSG 配置。You can also use IP Verify to validate the NSG configuration. 有关详细信息,请参阅 Azure network monitoring overview(Azure 网络监视概述)。For more information, see Azure network monitoring overview.

来源 5:基于 Linux 的 Azure 虚拟机Source 5: Linux-based Azure virtual machine

最后一个可能出现问题的来源是 Azure 虚拟机本身。The last source of possible problems is the Azure virtual machine itself.

突出显示基于 Linux 的 Azure 虚拟机的图表

如果尚未这样做,请按照为基于 Linux 的虚拟机重置密码中的说明进行操作。If you haven't done so already, follow the instructions to reset a password Linux-based virtual machines.

尝试从计算机重新建立连接。Try connecting from your computer again. 如果仍然失败,则可能存在以下问题:If it still fails, the following are some of the possible issues:

  • SSH 服务未在目标虚拟机上运行。The SSH service is not running on the target virtual machine.

  • 未在 TCP 端口 22 上侦听 SSH 服务。The SSH service is not listening on TCP port 22. 如果要测试,可在本地计算机上安装一个 telnet 客户端,并运行“telnet cloudServiceName.chinacloudapp.cn 22”。To test, install a telnet client on your local computer and run "telnet cloudServiceName.chinacloudapp.cn 22". 此步骤确定虚拟机是否允许与 SSH 终结点进行入站和出站通信。This step determines if the virtual machine allows inbound and outbound communication to the SSH endpoint.

  • 目标虚拟机上的本地防火墙具有阻止入站或出站 SSH 流量的规则。The local firewall on the target virtual machine has rules that are preventing inbound or outbound SSH traffic.

  • Azure 虚拟机上运行的入侵检测或网络监视软件阻止了 SSH 连接。Intrusion detection or network monitoring software that's running on the Azure virtual machine is preventing SSH connections.

其他资源Additional resources

有关对应用程序访问进行故障排除的详细信息,请参阅 对在 Azure 虚拟机上运行的应用程序的访问进行故障排除For more information about troubleshooting application access, see Troubleshoot access to an application running on an Azure virtual machine