编辑:与此同时,我向 openSSH 提交了一个错误(https://bugzilla.mindrot.org/show_bug.cgi?id=2577)。如果有任何结果,我也会在这里发布。新编辑:此限制将在 openSSH 7.3 中得到解决(看这里)
我使用某个位置的 SSH 跳转主机/代理来连接到该位置的其余机器。除了端口转发之外,一切正常。我的 .ssh/config(文件中有说明):
## a list of hostnames otherwise not known to my laptop,
## i. e. not in /etc/hosts
## at home, in my local network, "ssh server" will connect me to the server
Host server
Host archpi
Host banana
Host uncle
Host router
Host dlna
Host osmc
Host vostro
Host xps
Host thor
Host hp
## the jump host
Host jump
HostName my.dynamicdns.com
Port 2222
IdentityFile ~/.ssh/my-jump/remote_ed25519
ControlMaster auto
ControlPath ~/.ssh-cm-socket/%r@%h:%p
## the forwarding rule which does not work
## also, LocalForward x y:z does not work
DynamicForward 1080
## abroad, this stanza together with the * stanza will connect me
## to the hosts above via the jump host.
## Yes, private ssh keys sit in subdirectories. %h will resolve as
## "server/remote" here, resulting in ~/.ssh/my-server/remote_ed25519;
## $(dirname %h) will simply be "server"
Host */remote
IdentityFile ~/.ssh/my-%h_ed25519
ProxyCommand ssh -W $(dirname %h):22 jump
Ciphers arcfour
## at home, in my local network, "ssh server" will connect me to the server directly.
## abroad, via public wifi, and together with the */remote stanza,
## "ssh server/remote" will connect me to the server via the jump host.
## This identity file seems to be somewhere else, but isn't. In this stanza,
## %h will be resolved as "server" to ~/.ssh/my-server/remote_ed25519
Host *
Compression yes
CompressionLevel 1
ForwardAgent yes
ServerAliveInterval 60
User my
IdentityFile ~/.ssh/my-%h/remote_ed25519
再次,一切正常。我可以连接到本地局域网中的“服务器”,也可以从国外连接到“服务器/远程”。我可以连接到通过 SSH“跳转”,端口转发将建立。只有在连接到另一台主机时才通过跳转。为什么?而且,更重要的是:如何在这个 ssh 配置中转发端口?
编辑:每当我直接连接到“jump”时,端口都会被转发。每当我通过“jump”连接到另一台主机时,不会转发。从日志文件来看,唯一的区别似乎是
通过“jump”进行的会话,ssh -vvv router/remote 的输出
[...]
Authenticated to router/remote (via proxy).
debug2: fd 7 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: proc
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 91
debug2: callback start
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request [email protected] confirm 0
debug3: send packet: type 98
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env XDG_VTNR
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env HOSTNAME
debug3: Ignored env QUBES_ENV_SOURCED
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env VTE_VERSION
debug3: Ignored env HISTSIZE
debug3: Ignored env QUBES_KEYMAP
debug3: Ignored env WINDOWID
debug3: Ignored env QUBES_USER_KEYMAP
debug3: Ignored env USER
debug3: Ignored env LS_COLORS
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env PATH
debug3: Ignored env MAIL
debug3: Ignored env QT_X11_NO_MITSHM
debug3: Ignored env UPDTYPE
debug3: Ignored env PWD
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env MODULEPATH
debug3: Ignored env LOADEDMODULES
debug3: Ignored env QREXEC_AGENT_PID
debug3: Ignored env SSH_ASKPASS
debug3: Ignored env HISTCONTROL
debug3: Ignored env XDG_SEAT
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env GNOME_DESKTOP_SESSION_ID
debug3: Ignored env LOGNAME
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env MODULESHOME
debug3: Ignored env VMTYPE
debug3: Ignored env LESSOPEN
debug3: Ignored env WINDOWPATH
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env DISPLAY
debug3: Ignored env BASH_FUNC_module()
debug3: Ignored env BASH_FUNC_scl()
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)
debug3: send packet: type 1
debug1: fd 2 clearing O_NONBLOCK
[user@personal ~]$ ss -lant4 | grep 1080
[user@personal ~]$
会话通过“跳转”,输出ProxyCommand ssh -W $(dirname %h):22 jump 2>log.txt:
[...]
Authenticated to my.dynamicdns.com ([12.34.56.78]:2222).
debug3: ssh_init_stdio_forwarding: router:22
debug1: channel_connect_stdio_fwd router:22
debug1: channel 0: new [stdio-forward]
debug2: fd 4 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: getpeername failed: Bad file descriptor
debug3: send packet: type 90
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 91
debug2: callback start
debug2: callback done
debug2: channel 0: open confirm rwindow 2097152 rmax 32768
debug3: send packet: type 1
debug1: channel 0: free: direct-tcpip: listening port 0 for router port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 direct-tcpip: listening port 0 for router port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536 (t4 r0 i0/0 o0/0 fd 4/5 cc -1)
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug3: fd 2 is not O_NONBLOCK
连接到“jump”,ssh -vvv jump 的输出
[...]
Authenticated to my.dynamicdns.com ([12.34.56.78]:2222).
debug1: Local connections to localhost:1080 forwarded to remote address socks:0
debug1: Local forwarding listening on ::1 port 1080.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 1080.
debug1: channel 1: new [port listener]
debug1: channel 2: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Requesting authentication agent forwarding.
[user@personal ~]$ ss -lant4 | grep 1080
LISTEN 0 128 127.0.0.1:1080 *:*
所有转发都记录在直接连接的日志中。通过跳转的连接仅显示debug1: getpeername failed: Bad file descriptor。为什么会这样?我该如何转发端口?
编辑 2:服务器日志。我附上了主机“jump”的服务器日志(级别 3)这里。他们不太谈论端口转发。大概是因为端口转发是在客户端进行的。
答案1
好的。我感觉它需要额外的注意,但只是用本地和动态端口转发(在命令行上,到目标主机)进行了测试,它对我来说工作得很好。
仅转发到 jumbox 可能需要特别小心,因为此连接只能通过,或者您可能没有足够的权限。验证添加到阻止LogLevel DEBUG3中的日志Host jump可能会给您更多想法。