有人能给我一个一行 ssh 命令,它可以通过堡垒主机(跳转主机)连接到远程主机吗?我对更新 ssh 配置不感兴趣。
我尝试了下面的命令,但没有用。如果能对下面的命令进行任何修正,我将不胜感激。
ssh -i remote.pem user@remote -o "ProxyCommand ssh -W %h:%p -i bastion.pem user@bastion"
以下是确切的错误详细信息:
$ ssh -i key user@remote -o "ProxyCommand ssh -W %h:%p -i key user@bastion" -vvv hostname
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname remote is address
debug1: Executing proxy command: exec ssh -W remote:22 -i key user@bastion
debug1: identity file key type -1
debug1: identity file key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
Host key verification failed.
kex_exchange_identification: Connection closed by remote host
有人可以帮我吗
根据@Martin提出的答案
我可以做以下事情:
ssh user@bastion
但如果我这么做
ssh -i remote.pem -i bastion.pem -J user@bastion user@remote
我收到以下错误:
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname <remote> is address
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -l user -vvv -W '[%h]:%p' <bastion>
debug1: Executing proxy command: exec ssh -l user -vvv -W '[<remote>]:22' <bastion>
debug1: identity file key type -1
debug1: identity file key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname <bastion> is address
debug2: ssh_connect_direct
debug1: Connecting to <bastion> [<bastion>] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to <bastion>:22 as 'user'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc
debug2: ciphers stoc: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<#############>
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
kex_exchange_identification: Connection closed by remote host
答案1
主机密钥验证失败。
似乎您尚未验证“堡垒”服务器的主机密钥。当使用ProxyCommand
指令创建连接时,您无法验证它。
由于您使用的是 OpenSSH 8.1,因此您可以使用-J
(跳)換擬器,而不是ProxyCommand
指令:
ssh -i remote.pem -i bastion.pem -J user@bastion user@remote
也可以看看OpenSSH 是否支持多跳登录?
通过此-J
开关,您应该会得到正常的主机密钥验证提示。
或者,首先连接到“堡垒”仅以验证其主机密钥:
ssh user@bastion
当您ssh
在某些独立的非交互式环境中使用时,您必须将known_hosts
上述命令创建的文件复制到该环境中。
或者使用一些暗示的技巧ssh 命令行指定服务器主机密钥指纹。
答案2
最后这个命令起作用了:
ssh -o ProxyCommand="ssh -i key -o StrictHostKeyChecking=no -W %h:%p user@bastion" -i key -o StrictHostKeyChecking=no user@remote
我认为添加StrictHostKeyChecking=否帮助它发挥作用。