通过配置文件进行 SSH 多跳

我想通过执行某事登录到远程服务器，例如ssh 远程服务器。只能通过登录服务器（有两个）访问远程服务器。

我希望能够采取两种路线（以防一个登录服务器无法使用）：

1. A→乙→德
2. A→C→德

一些信息：

• A：我的本地计算机
• 乙：登录服务器；仅允许用户名B/密码登录（无密钥文件）；我无法进行更改（保存密钥文件等）
• C：登录服务器；允许密钥文件登录；我可以做一些改变（但不是超级用户）
• 德：目标服务器；只能从 B 或 C 访问；允许密钥文件登录

我正在使用受密码保护的私钥文件（在 A 和 C 上；同一个），我可以使用它来登录 C 和 D。这是我想要的：

1. SSH B_D：提示输入用户名 B@B 的密码，然后输入用户名 D@D 的私钥文件的密码。由于我无法在 B 上保存私钥，因此必须以某种方式转发它。如果我已使用 ssh-agent 加载它，它不应该再次要求输入密码。
2. ssh C_D：提示输入私钥密码一次，然后使用它登录用户名C@C，然后登录用户名D@D。同样，如果密钥事先已加载 ssh-agent，则不应提示输入密码。

我能够部分地使用以下命令来实现上述操作（但前提是密钥是使用 ssh-agent 加载的）：

ssh -A -t usernameB@B ssh usernameD@D
ssh -A -t usernameC@C ssh usernameD@D

是否有修改可以先加载密钥文件，但仅限于此会话？如果我注销，则密钥文件应该被卸载。

上述命令有两个问题：

1. 我不想先用 ssh-agent 手动加载密钥。这样就违背了只需输入一个命令的目的。
2. 我想将此命令或等效命令放入 ssh 配置文件中。如果有其他方法可以实现我想要的效果，那也很好（只要我不需要在 B 上修改任何内容，也不需要 C 上的超级用户权限）。

我能够使用 ssh 配置文件实现类似的功能：

Host C
    HostName addressOfC
    User usernameC
    IdentityFile ~/.ssh/id_rsa
    ForwardAgent yes

Host C_D
    HostName addressD
    User usernameD
    IdentityFile ~/.ssh/id_rsa
    Port 22
    ProxyCommand ssh -A -W %h:%p C

同样，有两个问题：

1. 我需要先使用 ssh-agent 加载密钥。否则它会提示输入两次密码。
2. 连接需要很长时间（24 秒）。我应该在这里提一下，我在 Windows 上使用 mobaXterm，以防这是导致 24 秒的原因。

最后还有一个问题：转发代理似乎并不安全，根据https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/。因此，避免转发代理的解决方案会很好。

编辑：

根据@jakuje的评论，我将配置文件修改为：

Host C
    HostName addressOfC
    User usernameC
    IdentityFile ~/.ssh/id_rsa

Host C_D
    HostName addressD
    User usernameD
    IdentityFile ~/.ssh/id_rsa
    Port 22
    ProxyCommand ssh -W %h:%p C

运行ssh -vvv C_D我得到以下日志（MobaXterm 7.4）：

OpenSSH_6.2p2, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /home/mobaxterm/.ssh/config
debug1: /home/mobaxterm/.ssh/config line 24: Applying options for C_D
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec ssh -W addressOfD:22 C
debug1: permanently_drop_suid: 1000
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/mobaxterm/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/mobaxterm/.ssh/id_rsa type 1
debug1: identity file /home/mobaxterm/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "addressOfD" from file "/home/mobaxterm/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/mobaxterm/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],zlib,none
debug2: kex_parse_kexinit: [email protected],zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 [email protected]
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 [email protected]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 533/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA [...]
debug3: load_hostkeys: loading entries for host "addressOfD" from file "/home/mobaxterm/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/mobaxterm/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'addressOfD' is known and matches the RSA host key.
debug1: Found key in /home/mobaxterm/.ssh/known_hosts:1
debug2: bits set: 515/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mobaxterm/.ssh/id_rsa (0x20072e98), explicit
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred hostbased,publickey,password,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: password,keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/mobaxterm/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp [...]
debug3: sign_and_send_pubkey: RSA [...]
debug1: Enabling compression at level 6.

这里暂停了大约 22 秒。

debug1: Authentication succeeded (publickey).
Authenticated to addressOfD (via proxy).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /bin/xauth  list :0.0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0

编辑2：

我尝试在 Ubuntu 16.04 下设置 ssh 配置，没有出现 24 秒延迟（连接在 2 秒内建立）。我下载了最新版本的 MobaXterm（v9.1），只有第一次建立连接时速度很慢。我还在 Windows 10（之前是 Windows 7）上测试了 MobaXterm，结果相同。所以我猜这是 Windows/MobaXterm 或它在后台使用的任何程序的问题。

结论：

看来我能做的最好的事情就是转到 Linux（有点过头了）或转发 ssh 代理（如果我运气好的话）或坐下来等一会儿。在这两种情况下，我都必须提前加载 ssh 密钥，以避免必须输入两次密码。