我想通过执行某事登录到远程服务器,例如ssh 远程服务器。只能通过登录服务器(有两个)访问远程服务器。
我希望能够采取两种路线(以防一个登录服务器无法使用):
- A→乙→德
- A→C→德
一些信息:
- A:我的本地计算机
- 乙:登录服务器;仅允许用户名B/密码登录(无密钥文件);我无法进行更改(保存密钥文件等)
- C:登录服务器;允许密钥文件登录;我可以做一些改变(但不是超级用户)
- 德:目标服务器;只能从 B 或 C 访问;允许密钥文件登录
我正在使用受密码保护的私钥文件(在 A 和 C 上;同一个),我可以使用它来登录 C 和 D。这是我想要的:
- SSH B_D:提示输入用户名 B@B 的密码,然后输入用户名 D@D 的私钥文件的密码。由于我无法在 B 上保存私钥,因此必须以某种方式转发它。如果我已使用 ssh-agent 加载它,它不应该再次要求输入密码。
- ssh C_D:提示输入私钥密码一次,然后使用它登录用户名C@C,然后登录用户名D@D。同样,如果密钥事先已加载 ssh-agent,则不应提示输入密码。
我能够部分地使用以下命令来实现上述操作(但前提是密钥是使用 ssh-agent 加载的):
ssh -A -t usernameB@B ssh usernameD@D
ssh -A -t usernameC@C ssh usernameD@D
是否有修改可以先加载密钥文件,但仅限于此会话?如果我注销,则密钥文件应该被卸载。
上述命令有两个问题:
- 我不想先用 ssh-agent 手动加载密钥。这样就违背了只需输入一个命令的目的。
- 我想将此命令或等效命令放入 ssh 配置文件中。如果有其他方法可以实现我想要的效果,那也很好(只要我不需要在 B 上修改任何内容,也不需要 C 上的超级用户权限)。
我能够使用 ssh 配置文件实现类似的功能:
Host C
HostName addressOfC
User usernameC
IdentityFile ~/.ssh/id_rsa
ForwardAgent yes
Host C_D
HostName addressD
User usernameD
IdentityFile ~/.ssh/id_rsa
Port 22
ProxyCommand ssh -A -W %h:%p C
同样,有两个问题:
- 我需要先使用 ssh-agent 加载密钥。否则它会提示输入两次密码。
- 连接需要很长时间(24 秒)。我应该在这里提一下,我在 Windows 上使用 mobaXterm,以防这是导致 24 秒的原因。
最后还有一个问题:转发代理似乎并不安全,根据https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/。因此,避免转发代理的解决方案会很好。
编辑:
根据@jakuje的评论,我将配置文件修改为:
Host C
HostName addressOfC
User usernameC
IdentityFile ~/.ssh/id_rsa
Host C_D
HostName addressD
User usernameD
IdentityFile ~/.ssh/id_rsa
Port 22
ProxyCommand ssh -W %h:%p C
运行ssh -vvv C_D
我得到以下日志(MobaXterm 7.4):
OpenSSH_6.2p2, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /home/mobaxterm/.ssh/config
debug1: /home/mobaxterm/.ssh/config line 24: Applying options for C_D
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec ssh -W addressOfD:22 C
debug1: permanently_drop_suid: 1000
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/mobaxterm/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/mobaxterm/.ssh/id_rsa type 1
debug1: identity file /home/mobaxterm/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "addressOfD" from file "/home/mobaxterm/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/mobaxterm/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],zlib,none
debug2: kex_parse_kexinit: [email protected],zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 [email protected]
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 [email protected]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 533/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA [...]
debug3: load_hostkeys: loading entries for host "addressOfD" from file "/home/mobaxterm/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/mobaxterm/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'addressOfD' is known and matches the RSA host key.
debug1: Found key in /home/mobaxterm/.ssh/known_hosts:1
debug2: bits set: 515/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mobaxterm/.ssh/id_rsa (0x20072e98), explicit
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred hostbased,publickey,password,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: password,keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/mobaxterm/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp [...]
debug3: sign_and_send_pubkey: RSA [...]
debug1: Enabling compression at level 6.
这里暂停了大约 22 秒。
debug1: Authentication succeeded (publickey).
Authenticated to addressOfD (via proxy).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /bin/xauth list :0.0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
编辑2:
我尝试在 Ubuntu 16.04 下设置 ssh 配置,没有出现 24 秒延迟(连接在 2 秒内建立)。我下载了最新版本的 MobaXterm(v9.1),只有第一次建立连接时速度很慢。我还在 Windows 10(之前是 Windows 7)上测试了 MobaXterm,结果相同。所以我猜这是 Windows/MobaXterm 或它在后台使用的任何程序的问题。
结论:
看来我能做的最好的事情就是转到 Linux(有点过头了)或转发 ssh 代理(如果我运气好的话)或坐下来等一会儿。在这两种情况下,我都必须提前加载 ssh 密钥,以避免必须输入两次密码。
答案1
- 我需要先使用 ssh-agent 加载密钥。否则它会提示输入两次密码。
你不需要它。如果你的密钥有密码,它就很有用。
- 连接需要很长时间(24 秒)。我应该在这里提一下,我在 Windows 上使用 mobaXterm,以防这是导致 24 秒的原因。
连接需要一些时间。如果您想要更快(对于单独的连接,请使用ControlMaster
选项)。
ProxyCommand ssh -A -W %h:%p C
这里不需要代理转发。身份验证始终从您的本地计算机完成。
ForwardAgent yes
这里都不是,除非您想使用来自服务器的密钥C
。