我有一个使用 ssh 获取数据的服务。这在 systemd 中的 linux 上有效,但在尝试在 mac 上执行等效操作时,我认为 ~/.ssh/known_hosts 文件不受尊重,因为在 launchd 中运行等效命令会产生:
Host key verification failed.
kex_exchange_identification: Connection closed by remote host
如果在标准用户 shell 中运行,此方法可正常工作。它通常应在用户 known_hosts 文件中获取 CA,如下所示...
@cert-authority *.consul,*.ap-southeast-2.compute.amazonaws.com ssh-rsa AAB3NzaC1yc2EAAAADAQABAAACAQDi0oKOI9NP9...
这是 ssh 命令的片段,设置为在条件满足时运行。它通过堡垒传递 ssh 证书和我的私钥,以 ssh 到私有子网中的客户端。
ssh -i "$HOME/.ssh/id_rsa-cert.pub" -i "$HOME/.ssh/id_rsa" -o ProxyCommand="ssh -i \"$HOME/.ssh/id_rsa-cert.pub\" -i \"$HOME/.ssh/id_rsa\" $host1 -W %h:%p" $host2 "bash -s" < $SCRIPTDIR/myscript.sh "$arg1" "$arg2"
这是启动的代理,设置为每 60 秒运行一次。
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.firehawkvfx.awsauthdeadlinecert</string>
<key>ProgramArguments</key>
<array>
<string>/Users/user/git/firehawk/deploy/firehawk-main/modules/terraform-aws-vpn/modules/openvpn-vagrant-client/scripts/firehawk-auth-scripts/aws-auth-deadline-cert</string>
<string>--resourcetier</string>
<string>dev</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>60</integer>
<key>WorkingDirectory</key>
<string>/Users/user/git/firehawk/deploy/firehawk-main/modules/terraform-aws-vpn/modules/openvpn-vagrant-client/scripts/firehawk-auth-scripts</string>
<key>StandardInPath</key>
<string>/Users/user/log.aws-auth-deadline-cert.stdin</string>
<key>StandardOutPath</key>
<string>/Users/user/log.aws-auth-deadline-cert.stdout</string>
<key>StandardErrorPath</key>
<string>/Users/user/log.aws-auth-deadline-cert.stderr</string>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string>/bin:/usr/bin:/usr/local/bin</string>
</dict>
</dict>
</plist>
如果我增加 ssh 命令的详细程度,我会得到:
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: [email protected]
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host certificate: [email protected] SHA256:uzolMYuNeaBEn3oA8Dm97ITVGaiMXO5mR/rHjLTPKzM, serial 15833844398015366422 ID "vault-aws-bastion_instance_role_dev0-lkj23h5l2jh5l23j5h23l5jh2" CA ssh-rsa SHA256:k2j35b23j5+23kj5h23k5jh valid from 2021-06-20T17:52:00 to 2031-06-18T17:52:30
debug1: No matching CA found. Retry with plain key
debug1: read_passphrase: can't open /dev/tty: Device not configured
Host key verification failed.
kex_exchange_identification: Connection closed by remote host