带有 ProxyJump 和证书颁发机构签名的 SSH 密钥的 SSH JumpServer

tag-icon tag-icon ssh centos certificate certificate-authority
带有 ProxyJump 和证书颁发机构签名的 SSH 密钥的 SSH JumpServer

我想要实现以下目标:

  • 通过隧道从公共 SSH 服务器连接到私有 SSH 服务器
  • 理想情况下,这可以通过 SSH 客户端的“ProxyJump”选项轻松完成

我有以下设置:

  • JumpServer(我们称之为server_a)
    • AWS 中的 CentOS 7 服务器,可通过我的 IP 地址公开访问。允许使用 TCP/22。
  • 目标服务器(我们称之为 server_b)
    • AWS 中的第二个 CentOS 7 服务器,位于私有子网中,可通过端口 TCP/22 上的 JumpServer 进行访问

因此,对我来说最舒服的方法是使用命令 ssh server_b,它会自动通过 server_a 创建隧道并连接到 server_b。

我没有在任何服务器上存储任何公钥。相反,我复制了证书颁发机构的公钥,并在两台服务器上信任了该证书颁发机构。签署我的公钥后,我可以登录 JumpServer,使用 SSH-Agent,我可以使用我签署的密钥连接到目标服务器。因此,CA 设置似乎有效。

但是,通过 JumpServer 的隧道连接时,我无法到达目标服务器。我收到的错误消息是

user@local ~ % ssh server_b
Enter passphrase for key '/home/user/.ssh/id_rsa': *********
channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

让我们看看本地计算机上的 ~/.ssh/config:

Host server_b
  User centos
  HostName 10.1.2.3
  ProxyJump server_a
  #ProxyCommand ssh -A -W %h:%p server_a

Host server_a
  User centos
  HostName 1.2.3.4

让我们深入了解 JumpServer(server_a)上的 SSHD 配置:

[root@ip-1-2-3-4 ssh]# grep -v "^#" sshd_config | grep -v "^$"
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa,[email protected],[email protected],[email protected],ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
Ciphers [email protected],[email protected],aes256-ctr
SyslogFacility AUTHPRIV
LogLevel INFO
LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
MaxAuthTries 3
MaxSessions 5
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding no
PermitOpen any
ClientAliveInterval 300
ClientAliveCountMax 2
PermitTunnel yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp  /usr/libexec/openssh/sftp-server
AllowUsers centos root
TrustedUserCAKeys        /etc/ssh/ca.pub
AuthorizedPrincipalsFile /etc/ssh/principals/%u
RevokedKeys              /etc/ssh/revoked_keys

由于我可以使用自己签名的密钥直接登录到该服务器,因此主体和所有部分均可以正常工作。

现在让我们看看目标服务器(server_b)上的 SSHD 配置:

[root@ip-10-1-2-3 ~]# grep -v "^$" /etc/ssh/sshd_config | grep -v "^#"
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa,[email protected],[email protected],[email protected],ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
Ciphers [email protected],[email protected],aes256-ctr
SyslogFacility AUTHPRIV
LogLevel INFO
LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
MaxAuthTries 3
MaxSessions 5
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
AllowTCPForwarding yes
PermitOpen any
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp  /usr/libexec/openssh/sftp-server
AllowUsers centos root
TrustedUserCAKeys        /etc/ssh/ca.pub
AuthorizedPrincipalsFile /etc/ssh/principals/%u
RevokedKeys              /etc/ssh/revoked_keys

在 JumpServer(server_a)上,我获得了以下额外信息日志对于 SSHD:

May 29 09:59:35 ip-1-2-3-4.eu-central-1.compute.internal sshd[9246]: Postponed publickey for centos from 4.1.2.3 port 45978 ssh2 [preauth]
May 29 09:59:37 ip-1-2-3-4.eu-central-1.compute.internal sshd[9246]: Accepted publickey for centos from 4.1.2.3 port 45978 ssh2: RSA-CERT ID vault-ldap-11223344-ae1ace4c904549c9fc104e96167162421d017b3f50459926571689878920a6d4 (serial 1970299968302716519) CA RSA SHA256:xvm7NsWz8XrR4fZZ4kp0RmKfgJkrMIme2PB59/7+GB0
May 29 09:59:37 ip-1-2-3-4.eu-central-1.compute.internal systemd[1]: Created slice User Slice of centos.
May 29 09:59:37 ip-1-2-3-4.eu-central-1.compute.internal systemd-logind[544]: New session 124 of user centos.
May 29 09:59:37 ip-1-2-3-4.eu-central-1.compute.internal systemd[1]: Started Session 124 of user centos.
May 29 09:59:37 ip-1-2-3-4.eu-central-1.compute.internal sshd[9246]: pam_unix(sshd:session): session opened for user centos by (uid=0)
May 29 09:59:37 ip-1-2-3-4.eu-central-1.compute.internal sshd[9249]: refused local port forward: originator 127.0.0.1 port 65535, target 10.1.2.3 port 22
May 29 09:59:37 ip-1-2-3-4.eu-central-1.compute.internal sshd[9246]: pam_unix(sshd:session): session closed for user centos
May 29 09:59:37 ip-1-2-3-4.eu-central-1.compute.internal systemd-logind[544]: Removed session 124.
May 29 09:59:37 ip-1-2-3-4.eu-central-1.compute.internal systemd[1]: Removed slice User Slice of centos.

目标服务器(server_b)没有关于此连接尝试的任何日志。

我不知道我做错了什么。我已使用 setenforce 0 将 SELinux 设置为 Permissive,并清除了所有 IPTables 规则。未设置另一个防火墙。这是来自 AWS Marketplace 的默认 CentOS 7 AMI,除上述配置外,没有任何额外配置(sshd 配置)

当我将我的公钥添加到服务器的 ~/.ssh/authorized_keys 文件时,整个过程都可以工作,但此设置的目的是使用 CA 签名的密钥。

我很感激任何帮助!

答案1

我也遇到了这个问题,需要在证书扩展中添加“允许端口转发”。

相关内容