银河麒麟 SSH Vscode连接

SSH连接错误：

[20:04:32.376] Failed to set up socket for dynamic port forward to remote port 38671: Socket closed. TCP port forwarding may be disabled, or the remote server may have crashed. See the VS Code Server log above for details.
[20:04:32.376] Failed to set up socket for dynamic port forward to remote port 38671: Socket closed. TCP port forwarding may be disabled, or the remote server may have crashed. See the VS Code Server log above for details.
[20:04:32.401] > channel 3: open failed: administratively prohibited: open failed
> channel 4: open failed: administratively prohibited: open failed
[20:04:32.402] ERROR: TCP port forwarding appears to be disabled on the remote host. Ensure that the sshd_config has AllowTcpForwarding yes. Contact your system administrator if needed.

sshd_config__8">一、检查 sshd_config 配置文件

sudo vi /etc/ssh/sshd_config

1. 以下参数正确设置，并且配置已生效。

AllowTcpForwarding yes # 启用端口转发
X11Forwarding yes
PermitTunnel yes
ListenAddress 0.0.0.0

# 让 SSH 同时监听端口 22 和 42717
Port 22
Port 42717

# PermitOpen none

请确保 PermitOpen 没有限制端口的开放：
你的配置文件中有 PermitOpen none，这会禁用所有端口的转发。
你可以尝试注释掉这行或修改为允许特定端口的转发。

2. 修改配置后，需要重启 SSH 服务，使更改生效：

sudo systemctl restart sshd

3. 全部代码为：

#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.Include /etc/ssh/sshd_config.d/*.confPort 22
Port 42717
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key# Ciphers and keying
#RekeyLimit default none# Logging
#SyslogFacility AUTH
#LogLevel INFO# Authentication:#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10#PubkeyAuthentication yes# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2#AuthorizedPrincipalsFile none#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes# AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
PermitTunnel yes
#ChrootDirectory none
#VersionAddendum none# no default banner path
Banner /etc/issue.net# Allow client to pass locale environment variables
AcceptEnv LANG LC_*# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server# Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding yes
AllowTcpForwarding yes
#	PermitTTY no
#	ForceCommand cvs server
# PermitOpen none

二、检查防火墙设置

确保防火墙没有阻止端口转发。可以使用以下命令查看防火墙规则（以 firewalld 为例）：

sudo firewall-cmd --list-all

如果防火墙阻止了 SSH 或特定端口的流量，你可以打开相应的端口，例

sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

1. 添加端口转发规则

如果你需要将特定的端口转发到本地或其他端口，可以使用 --add-forward-port 添加端口转发。例如，如果你要将本地的某个端口转发到远程服务器的端口，可以按如下方式添加：

sudo firewall-cmd --add-forward-port=port=42717:proto=tcp:toport=42717 --permanent
sudo firewall-cmd --reload

这将转发本地端口 42717 到远程端口 42717。

2. 启用 masquerading (NAT)

如果你需要使用端口转发或 NAT，建议启用 masquerading（网络地址转换）。这对于某些类型的端口转发是必要的，尤其是当防火墙位于 NAT 路由器或具有多个网络接口的服务器时：

sudo firewall-cmd --add-masquerade --permanent
sudo firewall-cmd --reload

3. 确保防火墙允许其他必需端口

如果需要转发其他特定端口（如在 VS Code 中使用的端口），确保它们也被防火墙允许。例如，如果你需要 42717 端口在防火墙中开放，可以添加：

sudo firewall-cmd --add-port=42717/tcp --permanent
sudo firewall-cmd --reload

4. 检查防火墙规则是否生效

更改配置后，使用以下命令检查防火墙的当前规则是否正确：

sudo firewall-cmd --list-all

总结
根据当前的防火墙配置，ssh 端口（22/tcp）是开放的，但是没有设置端口转发和 masquerading。如果你需要进行端口转发，务必添加相关规则并启用 masquerading，然后重新加载防火墙配置。

确保 AllowTcpForwarding 被启用：如果防火墙是启用的，可以通过 firewall-cmd 来允许端口 42717 的转发。

例如，启用端口转发：

sudo firewall-cmd --zone=public --add-port=42717/tcp --permanent
sudo firewall-cmd --reload

检查端口转发规则是否生效：使用 ss 或 netstat 确认服务器是否正确监听了所需的端口。

sudo ss -tuln | grep 42717

检查防火墙是否有特殊限制：确认是否有 rich rules 或其他更细粒度的限制，阻止了端口转发。你可以使用以下命令查看详细的 rich rules 配置：

sudo firewall-cmd --list-rich-rules