在具有 Powerbroker 且无法直接访问主机的 RHEL6 环境中,我可以通过跳转框/网关跳转到它们:
这个显式命令无需配置即可工作,但它很冗长:
dk@local $ ssh -t dk@gateway 'pbrun -u sysuser -h remote bash'
dk@gateway's password:
sysuser@remote's password:
sysuser@remote $
我正在寻找一种方法/配置来将上述命令简化为类似ssh remote.如上所示,最终结果应该以 sysuser(而不是 dk)身份登录。请注意通过 Powerbroker(pbrun 命令)进行的身份验证。
是否可以通过简单地实现这一点 ~/.ssh/config?如果是这样,您是否发现我尝试过的命令/配置有任何明显的修复?
局限性:
我无法使用公钥身份验证 (PKA) 在服务器之间建立信任,因为安全策略禁止这样做。所有身份验证必须通过 Powerbroker 完成(请参阅上面的 pbrun 命令)
从网关到远程的身份验证是通过 Powerbroker 强制执行的(请参阅
pbrun命令)。
我尝试过的:
dk@local $ cat .ssh/config
Host behindProxy
HostName remote
ProxyCommand ssh -t dk@gateway 'pbrun -u sysuser -h %h bash'
dk@local $ ssh behindProxy
Pseudo-terminal will not be allocated because stdin is not a terminal.
dk@gateway's password:
pbrun8.5.1-01[4377]: 3346: TTY is no longer available
ssh_exchange_identification: Connection closed by remote host
dk@local $
dk@local $ cat ~/.ssh/config
Host behindProxy
HostName remote
ProxyCommand ssh -W %h:%p dk@gateway 'pbrun -u sysuser -h %h bash'
dk@local $ ssh behindProxy
dk@gateway's password:
dk@remote's password:
dk@remote $ # undesired, as the goal is to end up logged in as sysuser (see the pbrun command)
dk@local $ cat ~/.ssh/config
Host behindProxy
ProxyJump gateway
ProxyCommand pbrun -u sysuser -h remote bash
dk@local $ ssh behindProxy
dk@gateway's password:
channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
答案1
我发现有效的两种配置是:
dk@local $ cat ~/.ssh/config
Host behindProxy
HostName gateway
LocalCommand pbrun -u sysuser -h remote bash
PermitLocalCommand yes
dk@local $ ssh behindProxy
dk@gateway's password:
sysuser@remote's password:
sysuser@remote $
然而,该连接并不是真正来自网关:
sysuser@remote $ last -1 -w
dk pts/18 local.domain.com Sun Nov 8 22:03 still logged in
或者:
dk@local $ cat ~/.ssh/config
Host behindProxy2
HostName gateway
RemoteCommand pbrun -u sysuser -h remote bash
dk@local $ ssh -t behindProxy2
dk@gateway's password:
sysuser@remote's password:
sysuser@remote $
证明连接确实通过网关进行:
sysuser@remote $ last -1 -w
dk pts/18 gateway.domain.com Sun Nov 8 22:06 still logged in
注意-t这里的选项是必需的,否则会出现错误:
dk@local $ ssh behindProxy2
dk@gateway's password:
sysuser@remote's password: pbrun8.5.1-01[20295]: 3346: TTY is no longer available
-t通过指定可以避免必须提供RequestTTY force:
dk@local $ cat ~/.ssh/config
Host behindProxy2
HostName gateway
RequestTTY force
RemoteCommand pbrun -u sysuser -h remote bash
dk@local $ ssh behindProxy2
dk@gateway's password:
sysuser@remote's password:
sysuser@remote $
答案2
一个简单的方法是使用 ssh JumpHosts,您可以使用 ssh 键来避免输入两次密码:
ssh -J <username>@<gateway_host>:<port> <username>@<remote_host>:<port>
自您上次编辑以来:
首先,您不能同时使用 ProxyJump 和 ProxyCommand,因为 ProxyJump 是带有 ssh 和一些参数的 ProxyCommand 的简写。
更好的方法是在 ProxyCommand 指令上直接 ssh :
Host behindProxy
HostName gateway
ProxyCommand ssh -W %h:%p sysuser@remote 'bash'
另一种方法可以使用远程命令与使用普布伦正如评论部分所建议的。