概括
我想使用 Rsync 和 SSH 在 2 个远程服务器之间复制文件。我发现这样做的方法是创建 SSH 隧道,但我尝试了几个示例,其中任何一个都有效。
细节
- 我有 3 台机器:1 台本地计算机和 2 台远程服务器
- 我可以使用本地 RSA 密钥通过 SSH 连接到两个远程服务器。
- 2 个远程服务器无法相互通信。远程服务器 #1 无法访问远程服务器 #2,反之亦然。
- 我可以分别 Rsync 到两个远程服务器
我尝试过
ssh -vvv -A \
-l user_remote1 \
-R localhost:50000:remote2:22 user_remote1@remote1 \
'rsync -e \
"ssh -A -o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \
-o GlobalKnownHostsFile=/dev/null \
-p 50000" \
-var /home/user_remote1/test.txt user_remote2@localhost:/home/user_remote2'
该命令的输出
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug2: resolve_canonicalize: hostname remote1 is address
debug2: ssh_connect_direct
debug1: Connecting to remote1 [remote1] port 22.
debug1: Connection established.
debug1: identity file /Users/user_local/.ssh/id_rsa type 0
debug1: identity file /Users/user_local/.ssh/id_rsa-cert type -1
debug1: identity file /Users/user_local/.ssh/id_dsa type -1
debug1: identity file /Users/user_local/.ssh/id_dsa-cert type -1
debug1: identity file /Users/user_local/.ssh/id_ecdsa type -1
debug1: identity file /Users/user_local/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/user_local/.ssh/id_ed25519 type -1
debug1: identity file /Users/user_local/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/user_local/.ssh/id_xmss type -1
debug1: identity file /Users/user_local/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to remote1:22 as 'user_remote1'
debug3: hostkeys_foreach: reading file "/Users/user_local/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/user_local/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys from remote1
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc
debug2: ciphers stoc: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:6gPivXbLGMtZsqEIwH4713sH1S/p/pQfHJ8+DoTsqc8
debug3: hostkeys_foreach: reading file "/Users/user_local/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/user_local/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys from remote1
debug1: Host 'remote1' is known and matches the ECDSA host key.
debug1: Found key in /Users/user_local/.ssh/known_hosts:4
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/user_local/.ssh/id_rsa RSA SHA256:TRou12Aso7/pS0D7blnRJsw9YHeFmDjfPIgkrgu2l4o
debug1: Will attempt key: /Users/user_local/.ssh/id_dsa
debug1: Will attempt key: /Users/user_local/.ssh/id_ecdsa
debug1: Will attempt key: /Users/user_local/.ssh/id_ed25519
debug1: Will attempt key: /Users/user_local/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/user_local/.ssh/id_rsa RSA SHA256:TRou12Aso7/pS0D7blnRJsw9YHeFmDjfPIgkrgu2l4o
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/user_local/.ssh/id_rsa RSA SHA256:TRou12Aso7/pS0D7blnRJsw9YHeFmDjfPIgkrgu2l4o
debug3: sign_and_send_pubkey: RSA SHA256:TRou12Aso7/pS0D7blnRJsw9YHeFmDjfPIgkrgu2l4o
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to remote1 ([remote1]:22).
debug1: Remote connections from localhost:50000 forwarded to local address remote2:22
debug3: send packet: type 80
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 4
debug1: Remote: /home/user_remote1/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /home/user_remote1/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 81
debug1: remote forward success for: listen localhost:50000, connect remote2:22
debug1: All remote forwarding requests processed
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request [email protected] confirm 0
debug3: send packet: type 98
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x20
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug3: Ignored env TERM_PROGRAM
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env TMPDIR
debug3: Ignored env TERM_PROGRAM_VERSION
debug3: Ignored env OLDPWD
debug3: Ignored env TERM_SESSION_ID
debug3: Ignored env USER
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env PATH
debug3: Ignored env PWD
debug3: Ignored env XPC_FLAGS
debug3: Ignored env XPC_SERVICE_NAME
debug3: Ignored env HOME
debug3: Ignored env SHLVL
debug3: Ignored env LOGNAME
debug1: Sending env LC_CTYPE = UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env _
debug3: Ignored env __CF_USER_TEXT_ENCODING
debug1: Sending command: rsync -e \\
"ssh -A -o StrictHostKeyChecking=no \\
-o UserKnownHostsFile=/dev/null \\
-o GlobalKnownHostsFile=/dev/null \\
-p 50000" \\
-var /home/user_remote1/test.txt user_remote2@localhost:/home/user_remote2
debug2: channel 0: request exec confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
debug3: receive packet: type 90
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 4 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 50000, originator ::1 port 56418
debug2: fd 7 setting O_NONBLOCK
debug2: fd 7 setting TCP_NODELAY
debug1: connect_next: host remote2 ([remote2]:22) in progress, fd=7
debug3: fd 7 is O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [::1]
debug1: confirm forwarded-tcpip
debug3: channel 1: waiting for connection
debug1: channel 1: connected to remote2 port 22
debug3: send packet: type 91
debug3: receive packet: type 90
debug1: client_input_channel_open: ctype [email protected] rchan 5 win 65536 max 16384
debug2: fd 8 setting O_NONBLOCK
debug3: fd 8 is O_NONBLOCK
debug1: channel 2: new [authentication agent connection]
debug1: confirm [email protected]
debug3: send packet: type 91
debug2: channel 0: rcvd ext data 84
Warning: Permanently added '[localhost]:50000' (ECDSA) to the list of known hosts.
debug2: channel 0: written 84 to efd 6
debug3: receive packet: type 96
debug2: channel 2: rcvd eof
debug2: channel 2: output open -> drain
debug2: channel 2: obuf empty
debug2: channel 2: chan_shutdown_write (i0 o1 sock 8 wfd 8 efd -1 [closed])
debug2: channel 2: output drain -> closed
debug1: channel 2: FORCE input drain
debug2: channel 2: ibuf empty
debug2: channel 2: send eof
debug3: send packet: type 96
debug2: channel 2: input drain -> closed
debug2: channel 2: send close
debug3: send packet: type 97
debug3: channel 2: will not send data after close
debug3: receive packet: type 97
debug2: channel 2: rcvd close
debug3: channel 2: will not send data after close
debug2: channel 2: is dead
debug2: channel 2: garbage collecting
debug1: channel 2: free: authentication agent connection, nchannels 3
debug3: channel 2: status: The following connections are open:
#0 client-session (t4 r2 i0/0 o0/0 e[write]/0 fd 4/5/6 sock -1 cc -1)
#1 ::1 (t4 r4 i0/0 o0/0 e[closed]/0 fd 7/7/-1 sock 7 cc -1)
#2 authentication agent connection (t4 r5 i3/0 o3/0 e[closed]/0 fd 8/8/-1 sock 8 cc -1)
debug2: channel 0: rcvd ext data 38
Permission denied, please try again.
debug2: channel 0: written 38 to efd 6
debug2: channel 0: rcvd ext data 38
Permission denied, please try again.
debug2: channel 0: written 38 to efd 6
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: chan_shutdown_read (i0 o0 sock -1 wfd 4 efd 6 [write])
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd ext data 229
debug3: receive packet: type 96
debug2: channel 1: rcvd eof
debug2: channel 1: output open -> drain
debug2: channel 1: obuf empty
debug2: channel 1: chan_shutdown_write (i0 o1 sock 7 wfd 7 efd -1 [closed])
debug2: channel 1: output drain -> closed
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: obuf_empty delayed efd 6/(229)
user_remote2@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(226) [sender=3.1.3]
debug2: channel 0: written 229 to efd 6
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: chan_shutdown_write (i3 o1 sock -1 wfd 5 efd 6 [write])
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 2
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r2 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1)
#1 ::1 (t4 r4 i0/0 o3/0 e[closed]/0 fd 7/7/-1 sock 7 cc -1)
debug2: channel 1: read<=0 rfd 7 len 0
debug2: channel 1: read failed
debug2: channel 1: chan_shutdown_read (i0 o3 sock 7 wfd 7 efd -1 [closed])
debug2: channel 1: input open -> drain
debug2: channel 1: ibuf empty
debug2: channel 1: send eof
debug3: send packet: type 96
debug2: channel 1: input drain -> closed
debug2: channel 1: send close
debug3: send packet: type 97
debug3: channel 1: will not send data after close
debug3: receive packet: type 97
debug2: channel 1: rcvd close
debug3: channel 1: will not send data after close
debug2: channel 1: is dead
debug2: channel 1: garbage collecting
debug1: channel 1: free: ::1, nchannels 1
debug3: channel 1: status: The following connections are open:
#1 ::1 (t4 r4 i3/0 o3/0 e[closed]/0 fd 7/7/-1 sock 7 cc -1)
debug3: send packet: type 1
debug3: fd 1 is not O_NONBLOCK
Transferred: sent 6168, received 6820 bytes, in 2.5 seconds
Bytes per second: sent 2488.0, received 2750.9
debug1: Exit status 255
我从该输出中搜索了几个相关主题,例如搜索“rsync 错误:io.c(226) [sender=3.1.3] 处无法解释的错误(代码 255)、”ssh debug1:下一个身份验证方法:密码“或”read_passphrase:无法打开 /dev/tty:没有这样的设备或地址“,但没有找到任何有用的信息。
命令是否有问题,或者我需要在服务器中进行自定义配置?任何反馈都会有帮助。谢谢。
答案1
您正在使用ssh -A。我知道您想通过ssh运行来访问您当地的。您希望通过这种方式使用本地密钥获得授权。这个计划很好。rsyncremote1ssh-agentremote2
您发布的详细输出告诉我ssh-agent正在本地运行,并且由ssh运行可以访问它。您仍然得到。从到 的(隧道)SSH 连接无法验证并关闭;无法继续()。rsyncremote1Permission denied (publickey,…remote1remote2rsyncrsync: connection unexpectedly closed
这强烈表明当地代理商没有持有正确的钥匙。man 1 ssh-agent内容如下:
代理最初没有任何私钥。当在 中设置时,使用
ssh-add(1)或 通过添加密钥。ssh(1)AddKeysToAgentssh_config(5)
向已启动的程序添加密钥的一种方法ssh-agent是ssh-add调用之前使用ssh。由于您想使用本地程序ssh将要使用的相同密钥,AddKeysToAgent因此也应该有效。您无需修改ssh_config,您可以在(本地)调用中直接传递选项ssh:
ssh -A -o AddKeysToAgent=yes …
(其中…表示您已经拥有的其余命令)。
请注意,这需要ssh-agent运行并SSH_AUTH_SOCK处于环境中,这样ssh才能与代理进行通信。看来您已经处理好了这一点。
有类似问题但对其了解不多ssh-agent以及如何正确启动它(或者他们不确定ssh-agent他们的操作系统、他们自己或其他什么是否已正确启动)的用户可能更喜欢以下命令:
ssh-agent ssh -A -o AddKeysToAgent=yes …
它启动一个单独的(新的)ssh-agent。代理将ssh在正确的环境中启动,因此两者可以进行通信。在某些情况下,这种形式特别有用(例子)。此处的形式并非必须,但它独立于任何之前启动的代理(或根本没有启动),并且应该可以立即使用,除非密钥存在问题。因此,如果您不熟悉,那么最后ssh-agent一个命令是最佳选择。ssh-agent以这种方式启动将在ssh退出后终止。
对于 OP 来说,有几点小改进需要做:
ssh -l user_remote1 user_remote1@remote1是多余的,它指定了user_remote1两次。指定用户和服务器的方法很少。在一次调用中使用多个方法几乎没有用处(请参阅有用的边缘情况)。我认为在命令(on ) 中
remote2无需访问本地ssh-agent.因此是多余的。该命令无论如何都可以工作,但请注意-Asshrsyncremote1man 1 ssh状态:应谨慎启用代理转发。能够绕过远程主机上的文件权限(对于代理的 UNIX 域套接字)的用户可以通过转发的连接访问本地代理。攻击者无法从代理获取密钥材料,但他们可以对密钥执行操作,使他们能够使用加载到代理中的身份进行身份验证。
从本地到
-A时需要;攻击者坐在 上是您需要承担的风险。连接到 时多余的只是攻击者坐在 上 的机会。sshremote1remote1-Aremote2remote2