从我的机器上,我必须通过节点A、B和连接C才能到达target:
localhost -> A -> B -> C -> target
机器 A配置为拒绝X11 Forwarding,所以我想我应该无法通过经过的连接打开图形界面ssh A。
但是,设置~/.ssh/config文件,并ProxyCommand使用添加netcat,我已经能够在打开一个图形应用程序target,只需执行即可ssh -XY target。中的设置~/.ssh/config如下:
Host A
Hostname domainA
Host B
Hostname domainB
ProxyCommand ssh A nc %h %p
Host C
Hostname domainC
ProxyCommand ssh B nc %h %p
Host target
Hostname domain-target
ProxyCommand ssh C nc %h %p
连接本身可以正常工作,我对此非常满意。然而,我实际上并不明白幕后发生了什么。
当我运行的时候ssh -XY target,实际上发生了什么,为什么我能够通过这个打开 GUI隧道,即使主机A不允许X11 Forwarding?
我知道付出一些努力是件好事,所以我就尽我所能,试图理解上面的执行情况。我已将 替换target为TARGET,并将 host 替换C为HOST_C。
$ ssh -vXY TARGET
OpenSSH_6.2p2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/rubens/.ssh/config
debug1: /home/rubens/.ssh/config line 20: Applying options for TARGET
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Executing proxy command: exec ssh HOST_C nc TARGET 22
debug1: permanently_drop_suid: 1000
debug1: identity file /home/rubens/.ssh/id_rsa type 1
debug1: identity file /home/rubens/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0,
remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA (some numbers...)
debug1: Host 'TARGET' is known and matches the RSA host key.
debug1: Found key in /home/rubens/.ssh/known_hosts:51
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/rubens/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to TARGET (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-48-generic x86_64)
...
rubens@TARGET:~
$ # prompt, and I'm able to open graphical apps, like gkrellm
连接似乎首先与主机进行C,这需要先前的连接(向后递归堆叠依赖关系,并按后进先出顺序解决它们)。
在 host A(即第一级连接)上,是否X11Forward应用了权限?或者它只是创建一个连接隧道nc,直到 machine target,并返回一个打开的套接字,我稍后会将其用于以下用途:
ssh -XY (open socket resulting from connections A->B->C->target)
如果是,我可以连接吗?或者主机的设置X11Forwarding有问题?A
答案1
主机 A 不转发 X11 连接,而主机 C 转发。您连接到主机 C 并打开 X11 应用程序(客户端),然后该应用程序会显示在本地计算机(服务器)上。连接通过中间节点 A 和 B 传递,但这与在本地主机和主机 C 之间设置的 X 转发无关。
注意:您不需要 netcat,因为您使用的 OpenSSH 具有-W用于此目的的选项。