* 旧版SecureCrt不能连接新版本的sshd服务器
报错如下:
Key exchange failed. No compatible key exchange method. The server supports these methods: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
原因分析:
旧版SecureCrt(版本号6.7.0 (build 153))支持的密钥交换(Key exchange)为以下5种:
Kerberos
Kerberos(Group Exchange)
Diffie-hellman-group14
Diffie-hellman-group
Diffie-hellman
这5种均不被新的sshd支持, 当前sshd版本信息为:
OpenSSH_8.3p1, OpenSSL 1.1.1j 16 Feb 2021
处理方式:
修改/etc/ssh/sshd_config文件, 添加(我是在文件最后添加):
KexAlgorithms diffie-hellman-group14-sha1
然后重启sshd:
#service sshd restart
即可
(看参考的文档, 说的是添加:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
其实添加一种SecureCrt支持的方式就可以了)
参考:
a. 升级ssh后续问题
* 在openwrt上新建一个可用的samba用户
需要解决的问题:
需要新增一个samba用户, 而samba用户是与同名系统用户关联的, 所以需要先建立一个同名的系统用户.
但是, 当前Openwrt的底层系统里没有useradd或者adduser命令, 用opkg update更新后, 搜索可用的包里也没找到相关的包, 包括有人提到的shadow-useradd或者类似的命令, 所以, 不能用命令添加一个用户
a.那, 就先手动来新增一个用户
a.1 修改/etc/passwd文件, 增加新用户信息
# vim /etc/passwd
增加一行:
newuser:x:66666:66666:newuser:/home/newuser:/bin/ash
说明:
newuser是用户名, /home/newuser就是newuser用户的根目录了.
66666是用户ID, 要注意在整个passwd文件是应该是唯一的.
/bin/ash是shell, 是从root用户那行抄来的
a.2 修改/etc/group文件, 增加新用户的组信息: 组名和用户名一般都是相同的
# vim /etc/group
增加一行:
newuser:x:66666:newuser
说明:
组名和用户名相同
组ID号和用户ID号也相同
a.3 建立新用户根目录, 并设置属主/组
# mkdir /home/newuser
# chown newuser /home/newuser
# chgrp newuser /home/newuser
a.4 给新用户设置密码
# passwd newuser
b. 该设置samba用户了
b.1 给samba新用户设置密码
# smbpasswd -a newuser
......
Added user newuser.
b.2 使samba新用户可用
# smbpasswd -e newuser
Enabled user newuser.
* 在openwrt上设置samba服务器, Windows/Win10/Es文件浏览器都可以通过网络访问.
环境说明:
用S905L的盒子装了个openwrt, 装在TF卡上, 用TF卡启动.
TF卡上除了装op系统的大概1G空间外, 剩下的空间分区并格式化为exfat格式, op启动时会自动加载这个exfat分区, 使用samba(web上在网络存储-网络共享)共享出来可供局域网内设备访问.
Win10当前版本缺省不支持SMB 1.0/CIFS, 为了访问低版本的samba设备, 已通过"启用或关闭Windows功能"打开"SMB 1.0/CIFS文件共享支持"+"SMB Direct", 需要能让这种设备访问盒子上的samba服务器 - 其实这并不是一个问题, 当前版本的samba(V4.11.6)早已支持新版本的samba协议.
安卓手机app"Es文件管理器"也需要在局域网内能访问同一个samba服务器.
问题详述:
问题1. linux上的samba服务器与Windows的Samba服务器是有区别的
Windows的samba服务器被访问时, 如果需要用户登录, 会在开始连接时就要求登录.
而Linux的samba服务器被访问时, 只有当访问到"共享目录"时, 才会问到登录信息.
问题2. 当前版本的Win10在访问samba服务时, 已经不支匿名访问, 只能修改注册表信息来支持
这个操作比较麻烦, 不考虑
测试中发现, 当一个samba服务器里只要存在任何一个可以匿名访问的文件共享, Win10就无法访问整个Samba服务器, 因此要求samba服务器中的任何共享都是非匿名访问的.
问题3 Es文件管理器App访问linux上的Samba服务器时, 缺省是以匿名方式访问
不会主动弹出登录信息窗口, 即使无法打开一个需要登录的共享时, 也不会主动弹出.
这就需要手动设置Es的登录信息.
这个问题和问题1有相关性.
其他
由于exfat是微软的文件格式, 没有用户权限信息, 避开了linux复杂的权限问题, 因此选择使用这种文件格式
结论
1. op上的samba共享都需要设置成用户登录访问
2. Es访问时需要手动设置用户登录信息.
Samba服务器设置
1.配置文件
op上luci的缺省配置文件如下:
[global]
netbios name = |NAME|
interfaces = |INTERFACES|
server string = |DESCRIPTION|
unix charset = |CHARSET|
workgroup = |WORKGROUP|
## This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests.
bind interfaces only = yes
## time for inactive connections to-be closed in minutes
deadtime = 15
## disable core dumps
enable core files = no
## set security (auto, user, domain, ads)
security = user
## This parameter controls whether a remote client is allowed or required to use SMB encryption.
## It has different effects depending on whether the connection uses SMB1 or SMB2 and newer:
## If the connection uses SMB1, then this option controls the use of a Samba-specific extension to the SMB protocol introduced in Samba 3.2 that makes use of the Unix extensions.
server min protocol = NT1
client min protocol = NT1
## If the connection uses SMB2 or newer, then this option controls the use of the SMB-level encryption that is supported in SMB version 3.0 and above and available in Windows 8 and newer.
## (default/auto,desired,required,off)
#smb encrypt = default
## set invalid users
invalid users = root
## map unknow users to guest
map to guest = Bad User
## allow client access to accounts that have null passwords.
null passwords = yes
## The old plaintext passdb backend. Some Samba features will not work if this passdb backend is used. (NOTE: enabled for size reasons)
## (tdbsam,smbpasswd,ldapsam)
passdb backend = smbpasswd
## Set location of smbpasswd ('smbd -b' will show default compiled location)
#smb passwd file = /etc/samba/smbpasswd
## LAN/WAN options (IPTOS_LOWDELAY TCP_NODELAY) WAN (IPTOS_THROUGHPUT)
socket options = IPTOS_LOWDELAY TCP_NODELAY
## If this integer parameter is set to a non-zero value, Samba will read from files asynchronously when the request size is bigger than this value.
## Note that it happens only for non-chained and non-chaining reads and when not using write cache.
## The only reasonable values for this parameter are 0 (no async I/O) and 1 (always do async I/O).
## (1/0)
#aio read size = 0
#aio write size = 0
## If Samba has been built with asynchronous I/O support, Samba will not wait until write requests are finished before returning the result to the client for files listed in this parameter.
## Instead, Samba will immediately return that the write request has been finished successfully, no matter if the operation will succeed or not.
## This might speed up clients without aio support, but is really dangerous, because data could be lost and files could be damaged.
#aio write behind = /*.tmp/
## lower CPU useage if supported and aio is disabled (aio read size = 0 ; aio write size = 0)
## currently broken (NOTE: see https://bugzilla.samba.org/show_bug.cgi?id=14095 )
## (no, yes)
#use sendfile = yes
## samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained.
#blocking locks = No
## disable loading of all printcap printers by default (iprint, cups, lpstat)
load printers = No
printcap name = /dev/null
## Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's.
disable spoolss = yes
## This parameters controls how printer status information is interpreted on your system.
## (BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ)
printing = bsd
## Disable that nmbd is acting as a WINS server for unknow netbios names
#dns proxy = No
## win/unix user mapping backend
#idmap config * : backend = tdb
## Allows the server name that is advertised through MDNS to be set to the hostname rather than the Samba NETBIOS name.
## This allows an administrator to make Samba registered MDNS records match the case of the hostname rather than being in all capitals.
## (netbios, mdns)
mdns name = mdns
## Clients that only support netbios won't be able to see your samba server when netbios support is disabled.
#disable netbios = Yes
## Setting this value to no will cause nmbd never to become a local master browser.
#local master = no
## (auto, yes) If this is set to yes, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with domain master = yes, so that nmbd can guarantee becoming a domain master.
#preferred master = yes
## (445 139) Specifies which ports the server should listen on for SMB traffic.
## 139 is netbios/nmbd
#smb ports = 445 139
## This is a list of files and directories that are neither visible nor accessible.
## Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards.
veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
## If a directory that is to be deleted contains nothing but veto files this deletion will fail unless you also set the delete veto files parameter to yes.
delete veto files = yes
################ Filesystem and creation rules ################
## reported filesystem type (NTFS,Samba,FAT)
#fstype = FAT
## Allows a user who has write access to the file (by whatever means, including an ACL permission) to modify the permissions (including ACL) on it.
#dos filemode = Yes
## file/dir creating rules
#create mask = 0666
#directory mask = 0777
#force group = root
#force user = root
#inherit owner = windows and unix
################################################################
这个配置文件只需要屏蔽 invalid users = root 这一句, 如下:
#invalid users = root
2.设置samba用户
使用"在openwrt上新建一个可用的samba用户"的方法建立用户
3.设置共享目录
按上图方式设置共享目录, 允许用户是刚才设置的smb用户.
4. 访问
Win10正常访问.
Es文件浏览器App在局域网里设置相应服务器的登录信息后就可以正常访问.
读写都没有问题.
* EmuELEC2020春节整合版(s905) 被百毒封了
EmuELEC 3.3.1 2020春节整合版详细说明:
https://www.bilibili.com/read/cv4420521/
下载地址:
(* EmuELEC2020春节整合版(s905) 被百毒封了
https://cloud.189.cn/t/F7JfYbF7VnUz (访问码:nlp7)已经转天翼云 需要的请下载@人中日月 )
提取码:g13u
(三个增补包,分别是街机改版、ATOMISWAVE和NAOMI的整合包,需要自己另外根据EMUELEC使用指南里面的方法传到系统里。)
提取码:zkdr
提取码:pty4
另外:
还有Vol4增量包, 应该是FBN街机的
3.4版的更新包,更新emuelec到3.4
* openwrt的history只能看到当前连接的命令记录
原因: op缺省使用的是ash, 这个轻量化的shell就是这样,除非改用别的shell, 比如bash
处理:
1. 安装bash
# opkg update & opkg install bash
2. 设置用户使用bash
# vim /etc/passwd
修改相应用户的shell为bash,并保存退出。
登出并重新登录后新的shell生效
# echo $SHELL
/bin/bash
3. 查看history
# history
应该能看到记录,登出再进,可以看到文件~/.bash_history(bash的history 记录文件)
外网nginx -> 外网frp server <> 内网frp client -> 内网web
相关的FrpProPlugin
我映象比较深的就是 iptables frp nginx socat haproxy rinetd
因为我是转发到rdp然后看油管,稍微卡顿都可以很明显的感觉出来。rinetd很流畅,haproxy和frp可以勉强用用,其它的都是战五渣。
这里列举了一些比较好用的开源的内网穿透工具,详细介绍一下各个软件工具的特点:
## 1. frp
FRP 功能完整,主要采用 GO 语言实现,重量级的工具,服务端界面样式风格一般。
配置繁琐,不同的协议需要配置不同的参数,采用文件存放数据,不支持数据库管理数据。
## 2. holer
轻量级的内网穿透工具,holer 服务端采用 Java 语言实现,服务端界面漂亮简洁。
Holer 客户端采用了 Java 语言和 GO 语言实现了两种版本,支持几乎所有的 OS 平台。
用到流行的微服务框架 springboot 和 Java 网络框架 netty。
配置很简单,针对所有 TCP 协议只需在客户端设置一个 holer access key 即可。
采用 MySQL 数据库统一管理数据。
## 3. nps
轻量级的内网穿透工具,完全采用 GO 语言实现,服务端界面漂亮简洁。
支持的协议最广泛,配置稍简单,采用文件存放数据,不支持数据库管理数据。
## 4. lanproxy
轻量级的内网穿透工具,客户端采用 GO 语言和 Java 语言实现两种版本,采用了 Java 网络框架 netty,服务端界面体验较差。
配置稍繁琐,采用文件存放数据,不支持数据库管理数据。
* ubuntu采用Docker官方shell安装时报错如下:
# curl -fsSL https://get.docker.com -o get-docker.sh
# sh get-docker.sh
# Executing docker install script, commit: 7cae5f8b0decc17d6571f9f52eb840fbc13b2737
+ sh -c apt-get update -qq >/dev/null
W: The repository 'cdrom://Ubuntu-Server 16.04.6 LTS _Xenial Xerus_ - Release amd64 (20190226) xenial Release' does not have a Release file.
E: Failed to fetch cdrom://Ubuntu-Server 16.04.6 LTS _Xenial Xerus_ - Release amd64 (20190226)/dists/xenial/main/binary-amd64/Packages Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get update cannot be used to add new CD-ROMs
E: Some index files failed to download. They have been ignored, or old ones used instead.
# vim /etc/apt/sources.list
# 屏蔽掉有cdrom的那一行, 如下
#deb cdrom:[Ubuntu-Server 16.04.6 LTS _Xenial Xerus_ - Release amd64 (20190226)]/ xenial main restricted
* Padavan路由作二级桥接无线路由时, 系统时间混乱的问题处理
状态: 配置了NTP同步, 但无效
原因: 可能是没有配置WAN造成的
处理:
1.手动:
# ntpd -t -p 192.168.1.1
2. 自动
在"系统管理"-"服务"中修改"调度任务 (Crontab)", 增加
0 * * * * ntpd -t -p 192.168.1.1
让系统每小时都做一次时间同步.
* Linux下, 以指定用户身份执行
例: # su - 用户名 -c "命令"
如:
# su - user -c "whoami"
user
说明: 以用户user身份执行whoami, 返回的用户身份是"user"
评论