通过多个主机和不同的用户设置 ssh 隧道

tag-icon tag-icon linux ssh ssh-tunnel
通过多个主机和不同的用户设置 ssh 隧道

我有以下 ssh 连接:

    user1@local --> root@machine1 --> root@machine2 --> abc@machine3

我需要能够从本地直接连接到 machine3:

    [user1@local]$ ssh abc@machine3

此时,如果我需要输入密码,那就没问题了,但理想情况下,我希望使用 ssh 密钥并且不使用密码连接。

我能够使用 sudo 连接到 machine1 和 machine2,但是连接 machine3 失败:

[user1@local]$ sudo ssh abc@machine3
[email protected]'s password:
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

我的 /root/.ssh/config 文件包含以下内容:

    Host machine1
        HostName machine1.com
        User root
        IdentitiesOnly yes

    Host machine2
        HostName machine2.com
        User root
        ProxyCommand ssh -W %h:%p machine1
        IdentitiesOnly yes

    Host machine3
        HostName machine3.com
        User abc
        ProxyCommand ssh -W %h:%p machine2
        IdentitiesOnly yes

我在本地机器上使用 OpenSSH_5.3p1,因此无法使用 ProxyJump。此外,机器 1、2 和 3 上不支持 netcat。

当我手动 ssh 时,我只能以 abc 用户身份从 machine2 ssh 到 machine3,然后不需要密码(machine3 上的 authorized_keys 包含来自 machine2 的公钥)。以任何其他用户身份从 machine2 手动连接到 machine3 会导致与上述相同的权限被拒绝错误。

知道如何从本地机器实现所需的 ssh 连接吗?这可行吗?设置隧道后,我需要在 machine3 上创建一些文件并在那里重新启动服务 - 所有这些都通过脚本完成。

编辑

我尝试使用详细模式进行 ssh,结果得到以下信息:

    [user1@local]$ sudo ssh -v abc@machine3
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /root/.ssh/config
    debug1: Applying options for machine3
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Executing proxy command: exec ssh -W machine3.com:22 machine2
    debug1: permanently_drop_suid: 0
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/identity type -1
    debug1: identity file /root/.ssh/identity-cert type -1
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    [email protected]'s password:
    [email protected]'s password:
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'machine3.com' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:4
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
    debug1: Next authentication method: publickey
    debug1: Trying private key: /root/.ssh/identity
    debug1: Trying private key: /root/.ssh/id_rsa
    debug1: Trying private key: /root/.ssh/id_dsa
    debug1: Trying private key: /root/.ssh/id_ecdsa
    debug1: No more authentication methods to try.
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

machine3 上的 .ssh 目录中唯一存在的文件是 authorized_keys。

答案1

事实上,您可以从 machine2 ssh 到 machine3,这意味着 machine2 上有一个私钥,可以通过 machine3 对您进行身份验证。

您可以将此私钥复制到本地机器并在您的机器中指定其路径~/.ssh/config

Host machine3  
  IdentityFile /path/to/the/key

答案2

在研究了另一个相关问题我做了以下操作并且部分/全部解决了我的问题:

  1. 将私钥和公钥从machine1和machine2复制到本地,使用不同的名称:/root/.ssh/id_rsa_machine1、/root/.ssh/id_rsa_machine1.pub 和 /root/.ssh/id_rsa_machine2、/root/.ssh/id_rsa_machine2.pub。
  2. 在本地系统上生成 ssh 密钥。
  3. 将本地系统的公钥添加到machine3上的authorized_keys中。
  4. 从本地向machine1添加了公钥。
  5. 将公钥从机器 1 添加到机器 2(机器 3 在 authorized_keys 中已经拥有来自机器 2 的公钥)。

  6. 修改本地的 /root/.ssh/config 文件,使其如下所示:

    Host machine1
    HostName machine1.com
    User root
    IdentityFile /root/.ssh/id_rsa_machine1
    Port 22
    IdentitiesOnly yes

Host machine2
    HostName machine2.com
    User root
    IdentityFile /root/.ssh/id_rsa_machine2
    Port 22
    ProxyCommand ssh -W %h:%p machine1
    IdentitiesOnly yes
    ForwardAgent yes


Host machine3
    HostName machine3.com
    User abc
    ProxyCommand ssh -W %h:%p machine2
    IdentitiesOnly yes
    ForwardAgent yes

引用的身份文件需要存在于本地机器上。我现在可以直接使用 sudo 从本地 ssh 到 machine3,无需输入密码!:-)

对本地的 user1 进行了额外更改,以便以 user1 身份直接 ssh 到 machine3,无需密码提示:

  1. 将私钥和公钥从 machine1 和 machine2 复制到本地机器上的 user1 .ssh 目录,名称如下:~/.ssh/id_rsa_machine1、~/.ssh/id_rsa_machine1.pub 和 ~/.ssh/id_rsa_machine2、~/.ssh/id_rsa_machine2.pub。
  2. 将本地系统上用户1的公钥添加到机器3上的authorized_keys中。

在 user1 ~/.ssh/config 文件中添加了以下内容:

    Host machine1
        HostName machine1.com
        User root
        IdentityFile ~/.ssh/id_rsa_machine1
        Port 22
        IdentitiesOnly yes

    Host machine2
        HostName machine2.com
        User root
        IdentityFile ~/.ssh/id_rsa_machine2
        Port 22
        ProxyCommand ssh -W %h:%p machine1
        IdentitiesOnly yes
        ForwardAgent yes


    Host machine3
        HostName machine3.com
        User abc
        ProxyCommand ssh -W %h:%p machine2
        IdentitiesOnly yes
        ForwardAgent yes

相关内容